[Windows Sandbox] Turn on MITIGATION_EXTENSION_POINT_DISABLE for child processes.

content/common/sandbox_win.cc

Index: content/common/sandbox_win.cc
diff --git a/content/common/sandbox_win.cc b/content/common/sandbox_win.cc
index e3b8f7defd64ea2af8e0e0c1232387481a8a4f01..2cd1e9c32ca8233f51efe021dc44fe59d5124a0f 100644
--- a/content/common/sandbox_win.cc
+++ b/content/common/sandbox_win.cc
@@ -31,6 +31,7 @@
 #include "base/win/windows_version.h"
 #include "content/common/content_switches_internal.h"
 #include "content/public/common/content_client.h"
+#include "content/public/common/content_features.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/sandbox_init.h"
 #include "content/public/common/sandboxed_process_launcher_delegate.h"
@@ -724,8 +725,10 @@ sandbox::ResultCode StartSandboxedProcess(
       sandbox::MITIGATION_IMAGE_LOAD_NO_REMOTE |
       sandbox::MITIGATION_IMAGE_LOAD_NO_LOW_LABEL;
 
-  sandbox::ResultCode result = sandbox::SBOX_ERROR_GENERIC;
+  if (base::FeatureList::IsEnabled(features::kWinSboxDisableExtensionPoints))
+    mitigations |= sandbox::MITIGATION_EXTENSION_POINT_DISABLE;
 
+  sandbox::ResultCode result = sandbox::SBOX_ERROR_GENERIC;
   result = policy->SetProcessMitigations(mitigations);
 
   if (result != sandbox::SBOX_ALL_OK)