This article covers features introduced in SpiderMonkey 1.8.1

Configure SpiderMonkey security hooks.


/* Added in SpiderMonkey 17 */

JS_SetSecurityCallbacks(JSRuntime *rt, const JSSecurityCallbacks *callbacks);

const JSSecurityCallbacks *
JS_GetSecurityCallbacks(JSRuntime *rt);

/* Obsolete since JSAPI 13 */

JSSecurityCallbacks *
JS_SetContextSecurityCallbacks(JSContext *cx, JSSecurityCallbacks *callbacks);

JSSecurityCallbacks *
JS_GetRuntimeSecurityCallbacks(JSRuntime *rt);

JSSecurityCallbacks *
JS_SetRuntimeSecurityCallbacks(JSRuntime *rt, JSSecurityCallbacks *callbacks);
Name Type Description
rt JSRuntime * A runtime to get/set the security callbacks.
callbacks const JSSecurityCallbacks * A pointer to the new callbacks for the runtime.

Callback Structure

struct JSSecurityCallbacks {
    JSCSPEvalChecker           contentSecurityPolicyAllows; // Added in SpiderMonkey 1.8.5
    JSSubsumesOp               subsumes; // Added in SpiderMonkey 31

    JSCheckAccessOp            checkObjectAccess;    // Obsolete since JSAPI 29

    JSPrincipalsTranscoder     principalsTranscoder; // Obsolete since JSAPI 13
    JSObjectPrincipalsFinder   findObjectPrincipals; // Obsolete since JSAPI 13
Name Type Description
contentSecurityPolicyAllows JSCSPEvalChecker A pointer to the function which checks if a CSP instance wants to disable eval() and friends. Use NULL is not needed.
subsumes JSSubsumesOp A pointe to the function which returns whether the first principal subsumes the second. Use NULL is not needed.


JS_SetSecurityCallbacks sets the runtime's security callbacks to callbacks. It allows the embedding to control certain aspects of JS code execution based on security settings of the global object the code is executed in. If callbacks is NULL, it sets callbacks to default value.

JS_GetSecurityCallbacks returns the runtime's current security callbacks. If the callbacks are default value, it returns NULL

See Also