[Win10 sandbox mitigations] Four new Win10 mitigations added.

content/common/sandbox_win.cc

Index: content/common/sandbox_win.cc
diff --git a/content/common/sandbox_win.cc b/content/common/sandbox_win.cc
index 523073863b7c667862146a9fe0d102bcafc3585d..83a4013de51e64b3784fe82729bb1783b8141174 100644
--- a/content/common/sandbox_win.cc
+++ b/content/common/sandbox_win.cc
@@ -698,11 +698,17 @@ base::Process StartSandboxedProcess(
 
   sandbox::TargetPolicy* policy = g_broker_services->CreatePolicy();
 
-  sandbox::MitigationFlags mitigations = sandbox::MITIGATION_HEAP_TERMINATE |
-                                         sandbox::MITIGATION_BOTTOM_UP_ASLR |
-                                         sandbox::MITIGATION_DEP |
-                                         sandbox::MITIGATION_DEP_NO_ATL_THUNK |
-                                         sandbox::MITIGATION_SEHOP;
+  // Pre-startup mitigations.
+  sandbox::MitigationFlags mitigations =
+      sandbox::MITIGATION_HEAP_TERMINATE |
+      sandbox::MITIGATION_BOTTOM_UP_ASLR |
+      sandbox::MITIGATION_DEP |
+      sandbox::MITIGATION_DEP_NO_ATL_THUNK |
+      sandbox::MITIGATION_SEHOP;
+  // Enabling in follow-up CL.

[Will Harris, 2016/02/01 21:33:57]

Don't comment them out. just don't add them please. There is no dead or disabled
code in chromium, it's just not committed.

[penny, 2016/02/02 00:10:01]

Done.

+  // sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE |
+  // sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
+  // sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
 
   if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
     return base::Process();
@@ -715,6 +721,7 @@ base::Process StartSandboxedProcess(
   }
 #endif
 
+  // Post-startup mitigations.
   mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
                 sandbox::MITIGATION_DLL_SEARCH_ORDER;