diff --git a/web/packages/core/src/ruffle-imports.ts b/web/packages/core/src/ruffle-imports.ts
index b3a8cf40ed000..821e3c33ceee0 100644
--- a/web/packages/core/src/ruffle-imports.ts
+++ b/web/packages/core/src/ruffle-imports.ts
@@ -70,6 +70,9 @@ export function copyToAudioBufferInterleaved(
 export function callExternalInterface(name: string, args: any[]): any {
     // [NA] Yes, this is direct eval. Yes, this is a Bad Thing when it comes to security.
     // In fact, yes this is vulnerable to an XSS attack!
-    // But plot twist: Flash allowed for this and many content *relies on it*. :(
+    // But plot twist: Flash allowed for this and many games *relies on it*. :(
+    // Flash content can do `call("eval", "....")` regardless, this doesn't enable anything that wasn't already permitted.
+    // It just goes against what the documentation says, and *looks* really suspicious.
+    // Content can only run this if the website has enabled `allowScriptAccess`, so it has to be enabled by the website too.
     return eval(`(${name})(...args)`);
 }