Block port 443 for all protocols other than HTTPS or WSS.

This addresses the history leak (on non-preloaded HSTS sites) from https://crbug.com/436451:

  "If we ask Chrome to load http://example.com:443, it will definitely fail, because Chrome will make plain-text HTTP request to port 443 of the server. However, if example.com is a Known HSTS Host of Chrome (meaning either the user has visited https://example.com before, or it is on the HSTS preload list), it will send request to https://example.com:443, and the request will succeed. We can use JavaScript to differentiate the two cases, since in the first case, onerror event is triggered, while in the second case, onload event is triggered.

  Therefore, a malicious website can include well-chosen cross-domain images and use this trick to brute-force a list of domains that users have visited. Note that the list could only contain HSTS-enabled but not preloaded websites."

BUG=436451

Review URL: https://codereview.chromium.org/770343003

Cr-Commit-Position: refs/heads/master@{#306959}
4 files changed