add importScripts as a sink for js/client-side-unvalidated-url-redirection

Author: erik-krogh

javascript/ql/src/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -132,6 +132,15 @@ module ClientSideUrlRedirect {
     }
   }
 
+  /**
+   * An argument to `importScripts(..)` - which is used inside `WebWorker`s to import new scripts - viewed as a `ScriptUrlSink`.
+   */
+  class ImportScriptsSink extends ScriptUrlSink {
+    ImportScriptsSink() {
+      this = DataFlow::globalVarRef("importScripts").getACall().getAnArgument()
+    }
+  }
+
   /**
    * A script or iframe `src` attribute, viewed as a `ScriptUrlSink`.
    */