Add CodeQL comments (#50)

microsoft · Jun 21, 2023 · 7c0dfb6 · 7c0dfb6
1 parent 15c6965
commit 7c0dfb6
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/src/core/scriptLoader.ts b/src/core/scriptLoader.ts
@@ -170,7 +170,7 @@ namespace AMDLoader {
 			const func = (
 				trustedTypesPolicy
 					? self.eval(trustedTypesPolicy.createScript('', 'true'))
-					: new Function('true')
+					: new Function('true') // CodeQL [SM01632] the loader is responsible with loading code, fetch + eval is used on the web worker instead of importScripts if possible because importScripts is synchronous and we observed deadlocks on Safari
 			);
 			func.call(self);
 			return true;
@@ -226,7 +226,7 @@ namespace AMDLoader {
 						const func = (
 							trustedTypesPolicy
 								? self.eval(trustedTypesPolicy.createScript('', text))
-								: new Function(text)
+								: new Function(text) // CodeQL [SM01632] the loader is responsible with loading code, fetch + eval is used on the web worker instead of importScripts if possible because importScripts is synchronous and we observed deadlocks on Safari
 						);
 						func.call(self);
 						callback();

diff --git a/src/loader.js b/src/loader.js
@@ -656,7 +656,8 @@ var AMDLoader;
         try {
             const func = (trustedTypesPolicy
                 ? self.eval(trustedTypesPolicy.createScript('', 'true'))
-                : new Function('true'));
+                : new Function('true') // CodeQL [SM01632] the loader is responsible with loading code, fetch + eval is used on the web worker instead of importScripts if possible because importScripts is synchronous and we observed deadlocks on Safari
+            );
             func.call(self);
             return true;
         }
@@ -705,7 +706,8 @@ var AMDLoader;
                         text = `${text}\n//# sourceURL=${scriptSrc}`;
                         const func = (trustedTypesPolicy
                             ? self.eval(trustedTypesPolicy.createScript('', text))
-                            : new Function(text));
+                            : new Function(text) // CodeQL [SM01632] the loader is responsible with loading code, fetch + eval is used on the web worker instead of importScripts if possible because importScripts is synchronous and we observed deadlocks on Safari
+                        );
                         func.call(self);
                         callback();
                     }).then(undefined, errorback);