JS: Address PR review comments

- Fix misplaced semicolons in test files (was inside comment, moved before it)
- Update QLdoc comments to reference new browser source kind names
- Update docs to list browser source kinds and fix outdated 'only remote' note

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst

@@ -406,7 +406,7 @@ Adds a new taint source. Most taint-tracking queries will use the new source.
 
 - **type**: Name of a type from which to evaluate **path**.
 - **path**: Access path leading to the source.
-- **kind**: Kind of source to add. Currently only **remote** is used.
+- **kind**: Kind of source to add. See the section on :ref:`source kinds <threat-models-javascript>` for supported values.
 
 Example:
 
@@ -553,7 +553,16 @@ Kinds
 Source kinds
 ~~~~~~~~~~~~
 
-See documentation below for :ref:`Threat models <threat-models-javascript>`.
+- **remote**: A general source of remote flow.
+- **browser**: A source in the browser environment that does not fit a more specific browser kind.
+- **browser-url-query**: A source derived from the query parameters of the browser URL, such as ``location.search``.
+- **browser-url-fragment**: A source derived from the fragment part of the browser URL, such as ``location.hash``.
+- **browser-url-path**: A source derived from the pathname of the browser URL, such as ``location.pathname``.
+- **browser-url**: A source derived from the browser URL, where the untrusted part is prefixed by trusted data such as the scheme and hostname.
+- **browser-window-name**: A source derived from the window name, such as ``window.name``.
+- **browser-message-event**: A source derived from cross-window message passing, such as ``event`` in ``window.onmessage = event => {...}``.
+
+See also :ref:`Threat models <threat-models-javascript>`.
 
 Sink kinds
 ~~~~~~~~~~

javascript/ql/lib/semmle/javascript/security/dataflow/RemoteFlowSources.qll

@@ -85,16 +85,16 @@ class ClientSideRemoteFlowKind extends string {
    */
   predicate isUrl() { this = "browser-url" }
 
-  /** Holds if this is the `query` or `fragment` kind. */
+  /** Holds if this is the `browser-url-query` or `browser-url-fragment` kind. */
   predicate isQueryOrFragment() { this.isQuery() or this.isFragment() }
 
-  /** Holds if this is the `path`, `query`, or `fragment` kind. */
+  /** Holds if this is the `browser-url-path`, `browser-url-query`, or `browser-url-fragment` kind. */
   predicate isPathOrQueryOrFragment() { this.isPath() or this.isQuery() or this.isFragment() }
 
-  /** Holds if this is the `path` or `url` kind. */
+  /** Holds if this is the `browser-url-path` or `browser-url` kind. */
   predicate isPathOrUrl() { this.isPath() or this.isUrl() }
 
-  /** Holds if this is the `name` kind, describing sources derived from the window name, such as `window.name`. */
+  /** Holds if this is the `browser-window-name` kind, describing sources derived from the window name, such as `window.name`. */
   predicate isWindowName() { this = "browser-window-name" }
 
   /**

javascript/ql/test/query-tests/Security/CWE-918/clientSide.js

@@ -24,5 +24,5 @@ export function MyComponent() {
     request(window.location.href + '?q=123');
 
     const custom = require('testlib').getBrowserSource(); // $ Source[js/client-side-request-forgery]
-    request(custom) // $ Alert[js/client-side-request-forgery];
+    request(custom); // $ Alert[js/client-side-request-forgery]
 }

javascript/ql/test/query-tests/Security/CWE-918/serverSide.js

@@ -148,4 +148,4 @@ var server2 = http.createServer(function (req, res) {
 });
 
 const custom = require('testlib').getServerSource(); // $ Source[js/request-forgery]
-request(custom) // $ Alert[js/request-forgery];
+request(custom); // $ Alert[js/request-forgery]