diff --git a/config/win/BUILD.gn b/config/win/BUILD.gn
index 015499060..6cc4b1b9f 100644
--- a/config/win/BUILD.gn
+++ b/config/win/BUILD.gn
@@ -6,6 +6,7 @@ import("//build/config/chrome_build.gni")
 import("//build/config/clang/clang.gni")
 import("//build/config/compiler/compiler.gni")
 import("//build/config/sanitizers/sanitizers.gni")
+import("//build/config/win/control_flow_guard.gni")
 import("//build/config/win/visual_studio_version.gni")
 import("//build/timestamp.gni")
 import("//build/toolchain/goma.gni")
@@ -89,11 +90,15 @@ config("compiler") {
     # Tell clang which version of MSVC to emulate.
     cflags += [ "-fmsc-version=1916" ]
 
-    # Emit table of address-taken functions for Control-Flow Guard (CFG). We
-    # don't emit the CFG checks themselves, but this enables the functions to
-    # be called by code that is built with those checks enabled, such as system
-    # libraries.
-    cflags += [ "/guard:cf,nochecks" ]
+    # Emit table of address-taken functions for Control-Flow Guard (CFG).
+    # This is needed to allow functions to be called by code that is built
+    # with CFG enabled, such as system libraries.
+    # The CFG guards are only emitted if |win_enable_cfg_guards| is enabled.
+    if (win_enable_cfg_guards) {
+      cflags += [ "/guard:cf" ]
+    } else {
+      cflags += [ "/guard:cf,nochecks" ]
+    }
 
     if (is_component_build) {
       cflags += [
diff --git a/config/win/control_flow_guard.gni b/config/win/control_flow_guard.gni
new file mode 100644
index 000000000..bf6a82af0
--- /dev/null
+++ b/config/win/control_flow_guard.gni
@@ -0,0 +1,23 @@
+# Copyright 2020 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+import("//build/config/sanitizers/sanitizers.gni")
+
+declare_args() {
+  # Set this to true to enable generation of CFG indirect call dispatch
+  # guards.
+  win_enable_cfg_guards = false
+}
+
+if (win_enable_cfg_guards) {
+  # Control Flow Guard (CFG)
+  # https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065.aspx
+  # /DYNAMICBASE (ASLR) is turned off in debug builds, therefore CFG can't be
+  # turned on either.
+  # ASan and CFG leads to slow process startup. Chromium's test runner uses
+  # lots of child processes, so this means things are really slow. Disable CFG
+  # for now. https://crbug.com/846966
+  assert(!is_debug && !is_asan,
+         "CFG does not work well in debug builds or with ASAN")
+}