New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 504006 link

Starred by 6 users

Issue metadata

Status: Fixed
Last visit > 30 days ago
Closed: Feb 2016
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug

Blocked on:
issue 584389

issue 586291

Sign in to add a comment

Add New Process Mitigation Policies for Win10+

Project Member Reported by, Jun 24 2015

Issue description

This is a place holder for disabling non-system fonts on Windows 10 for all processes using the new ProcessFontDisablePolicy mitigation policy. Some initial testing indicates it does what it says it does (namely blocking file based or memory based fonts being loaded into GDI) and has no obvious impact on rendering of Web Fonts, Flash with custom fonts or PDF with custom fonts, however more extensive testing will be necessary. 

Initial implementation at
Labels: Hotlist-Recharge
This issue likely requires triage.  The current issue owner maybe inactive (i.e. hasn't fixed an issue in the last 30 days).  Thanks for helping out!

Labels: Cr-Internals-PlatformIntegration
Summary: Add New Process Mitigation Policies for Win10+ (was: Implement The Disable Non-System Fonts Process Policy on Win10)
Changing this to be more generic as Windows 10 TH2 added a few more policies which we might want to implement:

PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_REMOTE_ALWAYS_ON - Prevents mapping image sections from remote file systems (probably mainly for prevent current directory DLL loads off UNC from document readers etc.)
PROCESS_CREATION_MITIGATION_POLICY_IMAGE_LOAD_NO_LOW_LABEL_ALWAYS_ON - Prevents mapping image sections from a low IL file.

PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY - Restricts creation of child processes, works without a job object enforcing thing. Seems to block the condrv job breakout trick.
I guess I forgot this bug existed. pennymac@ was looking at doing this, now that the Win10 SDK is finally landed.
Welcome to let someone else worry about this, although with the SDK in place the changes should be minimal.
Labels: M-49
Status: Started
I've started to add in


Win10 SDK version 10586 (TH2) should be hitting trunk in the win_toolchain soon.

Awaiting reviews and VS2015 (10586) to land as default on trunk.
Woohoo.  Bruce has landed the depot_tools hash change required for SDK 10586 with Visual Studio 2013.  No longer blocked on VS2015.

Thanks Bruce.

Project Member

Comment 10 by, Feb 3 2016

The following revision refers to this bug:

commit 441d852dbcb7b9b31328393c7e31562b1e268399
Author: Penny MacNeil <>
Date: Wed Feb 03 17:33:31 2016

[Win10 sandbox mitigations]  Four new Win10 mitigations added.

1. Disable non-system font loading on >= WIN10 (MITIGATION_NONSYSTEM_FONT_DISABLE).
2. Disable image loads from remote devices on >= WIN10_TH2 (MITIGATION_IMAGE_LOAD_NO_REMOTE).
3. Disable loading images that are labelled low integrity mandatory on >= WIN10_TH2 (MITIGATION_IMAGE_LOAD_NO_LOW_LABEL).
4. Extra disabling of child process creation on >= WIN10_TH2.  In BrokerServicesBase::SpawnTarget(), if JobLevel <= JOB_LIMITED_USER, set PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY to PROCESS_CREATION_CHILD_PROCESS_RESTRICTED via UpdateProcThreadAttribute().

This CL enables all four mitigations on every Chrome process except for
browser.  sbox_integration_tests have also been updated appropriately.

base::win::VERSION_WIN10_TH2 has been added to identify
Threshold 2/1511/10586.

BUG= 504006,

Review URL: .

Cr-Commit-Position: refs/heads/master@{#373265}


Project Member

Comment 11 by, Feb 3 2016

The following revision refers to this bug:

commit 57b8827f887030911545998cf25a4a23fb21b49b
Author: Nico Weber <>
Date: Wed Feb 03 21:00:17 2016

clang/win: Fix -Wmissing-braces warning.

No behavior change.

BUG= 82385 , 504006 

Review URL: .

Cr-Commit-Position: refs/heads/master@{#373336}


Project Member

Comment 12 by, Feb 3 2016

The following revision refers to this bug:

commit 4ce19b8ce692bf6c1b885a5e07e7737c485bf591
Author: pennymac <>
Date: Wed Feb 03 21:44:08 2016

[Win10 sandbox mitigations] Enable the 3 new mitigations.

Turning on 3 new mitigations for all child processes (pre-startup).
This CL follows
BUG= 504006 

Review URL:

Cr-Commit-Position: refs/heads/master@{#373346}


Blockedon: chromium:584389
Labels: -Hotlist-Recharge -M-49 M-50
First started hitting canary with 50.0.2640.0.
A few win10 users reported web fonts are not working in recent canaries ( Bug 586291 ).
Also UMA timeline indicates a significant increase of web font load error since February 4:
Could this be caused by this mitigation changes?

I talked to pennymac. We probably want to switch MITIGATION_NONSYSTEM_FONT_DISABLE based on the directwrite flag status until all the fallback issues are resolved and we can drop GDI.
Blocking: 586291
Thanks for the heads up ksakamoto@!

I've got a patch under review:  It will definitely be in before M50 branches to beta (hopefully in the next couple days).

Project Member

Comment 19 by, Feb 23 2016

The following revision refers to this bug:

commit 247218e258a2491967b63d5dddb63a1e90b9dc42
Author: pennymac <>
Date: Tue Feb 23 23:15:51 2016

[Win10 sandbox mitigations] MITIGATION_NONSYSTEM_FONT_DISABLE adjustment.

in child processes only when Direct Write is enabled (not for GDI).
This CL follows,
BUG= 504006 , 586291 

Review URL:

Cr-Commit-Position: refs/heads/master@{#377110}


Status: Fixed (was: Started)
Small fix for GDI fonts started going out in 50.0.2658.0 canary (see  bug 586291 ).

Note that this fix was in for the M50 branch, so no merge needed.

Tentatively setting this ticket to fixed for now.

Sign in to add a comment