From 42917764730aa0809f846d9b0d4301cbb85ffadd Mon Sep 17 00:00:00 2001
From: Marshall Greenblatt <magreenblatt@gmail.com>
Date: Wed, 4 Mar 2020 15:58:12 -0500
Subject: [PATCH] Windows: Update cef_sandbox mitigations to match Chromium

---
 libcef_dll/sandbox/sandbox_win.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libcef_dll/sandbox/sandbox_win.cc b/libcef_dll/sandbox/sandbox_win.cc
index b27ba60d7..f8cdcc91f 100644
--- a/libcef_dll/sandbox/sandbox_win.cc
+++ b/libcef_dll/sandbox/sandbox_win.cc
@@ -17,7 +17,11 @@ void InitializeSandboxInfo(sandbox::SandboxInterfaceInfo* info) {
   } else {
     // Ensure the proper mitigations are enforced for the browser process.
     sandbox::ApplyProcessMitigationsToCurrentProcess(
-        sandbox::MITIGATION_DEP | sandbox::MITIGATION_DEP_NO_ATL_THUNK);
+        sandbox::MITIGATION_DEP | sandbox::MITIGATION_DEP_NO_ATL_THUNK |
+        sandbox::MITIGATION_HARDEN_TOKEN_IL_POLICY);
+    // Note: these mitigations are "post-startup".  Some mitigations that need
+    // to be enabled sooner (e.g. MITIGATION_EXTENSION_POINT_DISABLE) are done
+    // so in Chrome_ELF.
   }
 }