[Win10 sandbox mitigations] MITIGATION_NONSYSTEM_FONT_DISABLE adjustment.

content/common/sandbox_win.cc

Index: content/common/sandbox_win.cc
diff --git a/content/common/sandbox_win.cc b/content/common/sandbox_win.cc
index 29fb55713db92c563a4ca2a723682e108769efdf..ebbbc2250867bddc9df8b26357e9ef77b2a13f8c 100644
--- a/content/common/sandbox_win.cc
+++ b/content/common/sandbox_win.cc
@@ -739,6 +739,15 @@ base::Process StartSandboxedProcess(
                   sandbox::TargetPolicy::FILES_ALLOW_READONLY,
                   policy);
 
+      // Turn off the MITIGATION_NONSYSTEM_FONT_DISABLE mitigation
+      // when Direct Write is enabled.

[jschuh, 2016/02/22 22:30:24]

I think this is backward. Don't you want to enable the mitigation only when DW
is enabled?

[penny, 2016/02/23 05:30:37]

Done.

+      sandbox::MitigationFlags temp =
+          ~sandbox::MITIGATION_NONSYSTEM_FONT_DISABLE;
+      mitigations = policy->GetProcessMitigations();
+      mitigations &= temp;
+      if (policy->SetProcessMitigations(mitigations) != sandbox::SBOX_ALL_OK)
+        return base::Process();
+
       if (!ShouldUseDirectWriteFontProxyFieldTrial()) {
         // If DirectWrite is enabled for font rendering then open the font
         // cache section which is created by the browser and pass the handle to