CSP: Port upgrade matching should only apply to insecure source schemes by roberto-apple · Pull Request #62322 · WebKit/WebKit

roberto-apple · 2026-04-09T00:50:42Z

`c82619c`

CSP: Port upgrade matching should only apply to insecure source schemes
https://bugs.webkit.org/show_bug.cgi?id=308747
rdar://171265255

Reviewed by Brent Fulgham.

A CSP source expression such as "frame-src https://host:80" incorrectly
matches https://host (port 443). The mismatch (80 ≠ 443) should cause
a block, but WebKit has scheme upgrade logic that treats default ports
as equivalent during http-to-https transitions. This logic does not
verify the source scheme is insecure, so it treats any source with
port 80 as upgradable — even when the source scheme is already HTTPS.

Have schemeMatches() return a SchemeMatchResult enum that distinguishes
exact matches from insecure-to-secure upgrades, and pass this to
portMatches() so the upgrade path only fires when a scheme upgrade is
actually occurring. This also fixes an edge case with schemeless source
expressions. Both functions are annotated with CSP3 spec step references.

* LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number-expected.txt:
* LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number.html:
* LayoutTests/platform/wk2/TestExpectations:
* Source/WebCore/page/csp/ContentSecurityPolicySource.cpp:
(WebCore::ContentSecurityPolicySource::portMatches const):

Canonical link: https://commits.webkit.org/311148@main

9692000

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	~~🛠 win~~	⏳ 🛠 ios-apple
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	~~🧪 win-tests~~	⏳ 🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		⏳ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
	✅ 🧪 api-ios	✅ 🧪 mac-wk1	✅ 🛠 gtk
	✅ 🛠 ios-safer-cpp	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
✅ 🛠 🧪 merge	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🛠 playstation
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2026-04-09T00:50:48Z

EWS run on previous version of this PR (hash 5632161)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	~~🛠 win~~	⏳ 🛠 ios-apple
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	~~🧪 win-tests~~	🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	~~🧪 api-mac~~	✅ 🧪 api-wpe		🛠 vision-apple
	~~🧪 ios-wk2-wpt~~	~~🧪 api-mac-debug~~	✅ 🛠 gtk3-libwebrtc
	~~🧪 api-ios~~	~~🧪 mac-wk1~~	✅ 🛠 gtk
	~~🛠 ios-safer-cpp~~	✅ 🧪 mac-wk2	❌ 🧪 gtk-wk2
	~~🛠 vision~~	~~🧪 mac-AS-debug-wk2~~	✅ 🧪 api-gtk
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	~~🛠 playstation~~
	✅ 🧪 vision-wk2	~~🧪 mac-intel-wk2~~
	✅ 🛠 tv	~~🛠 mac-safer-cpp~~
	~~🛠 tv-sim~~
	~~🛠 watch~~
	✅ 🛠 watch-sim

webkit-early-warning-system · 2026-04-09T04:07:24Z

EWS run on previous version of this PR (hash e8c0bac)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	~~🛠 win~~	⏳ 🛠 ios-apple
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	~~🧪 win-tests~~	⏳ 🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		⏳ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
	✅ 🧪 api-ios	✅ 🧪 mac-wk1	✅ 🛠 gtk
	~~🛠 ios-safer-cpp~~	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🛠 playstation
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2026-04-09T20:31:15Z

EWS run on previous version of this PR (hash 96a61c8)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	~~🛠 win~~	✅ 🛠 ios-apple
✅ 🧪 bindings	❌ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	~~🧪 win-tests~~	✅ 🛠 mac-apple
✅ 🧪 webkitperl	❌ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		⏳ 🛠 vision-apple
	❌ 🧪 ios-wk2-wpt	~~🧪 api-mac-debug~~	✅ 🛠 gtk3-libwebrtc
	❌ 🧪 api-ios	✅ 🧪 mac-wk1	✅ 🛠 gtk
	~~🛠 ios-safer-cpp~~	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	~~🛠 playstation~~
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2	⏳ 🛠 jsc-armv7
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp	⏳ 🧪 jsc-armv7-tests
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2026-04-10T01:54:33Z

EWS run on previous version of this PR (hash c336b4e)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	~~🛠 win~~	⏳ 🛠 ios-apple
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	~~🧪 win-tests~~	🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		⏳ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
	✅ 🧪 api-ios	✅ 🧪 mac-wk1	✅ 🛠 gtk
	✅ 🛠 ios-safer-cpp	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🛠 playstation
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2026-04-10T21:15:17Z

EWS run on previous version of this PR (hash 22e46ff)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	~~🛠 win~~	🛠 ios-apple
✅ 🧪 bindings	~~🛠 ios-sim~~	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	~~🧪 win-tests~~	🛠 mac-apple
✅ 🧪 webkitperl	~~🧪 ios-wk2~~	~~🧪 api-mac~~	✅ 🧪 api-wpe		⏳ 🛠 vision-apple
	~~🧪 ios-wk2-wpt~~	~~🧪 api-mac-debug~~	~~🛠 gtk3-libwebrtc~~
	~~🧪 api-ios~~	~~🧪 mac-wk1~~	✅ 🛠 gtk
	~~🛠 ios-safer-cpp~~	✅ 🧪 mac-wk2	~~🧪 gtk-wk2~~
	~~🛠 vision~~	~~🧪 mac-AS-debug-wk2~~	✅ 🧪 api-gtk
	~~🛠 vision-sim~~	✅ 🧪 mac-wk2-stress	~~🛠 playstation~~
	~~🧪 vision-wk2~~	~~🧪 mac-intel-wk2~~
	✅ 🛠 tv	~~🛠 mac-safer-cpp~~
	~~🛠 tv-sim~~
	~~🛠 watch~~
	✅ 🛠 watch-sim

roberto-apple · 2026-04-10T22:49:35Z

The original reporter identified two cases where CSP source expressions with cross-scheme default ports were unexpectedly allowing resource loads:

frame-src https://localhost:80 matching https://localhost/run.html
frame-src http://localhost:443 matching https://localhost/run.html

After investigation, only case 1 is a bug. The source expression already specifies https, so there is no insecure-to-secure scheme upgrade involved. Since both the source expression and resource urls have an https scheme, port 80 should simply not match port 443. This has been fixed and the iframe is now correctly blocked.

Case 2 is correct behavior per spec. The source expression http scheme upgrades to https (§6.7.2.9 step 1.2), and port 443 matches the resource url's default port (443 for https) (§6.7.2.11 step 5). No change needed.

webkit-early-warning-system · 2026-04-11T00:15:57Z

EWS run on previous version of this PR (hash 2e16ac0)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	✅ 🛠 win	⏳ 🛠 ios-apple
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	❌ 🧪 win-tests	✅ 🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		⏳ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
	✅ 🧪 api-ios	✅ 🧪 mac-wk1	✅ 🛠 gtk
	✅ 🛠 ios-safer-cpp	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🛠 playstation
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

webkit-early-warning-system · 2026-04-11T00:15:58Z

EWS run on previous version of this PR (hash 4842d1d)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	~~🛠 win~~	🛠 ios-apple
⏳ 🧪 bindings	~~🛠 ios-sim~~	✅ 🛠 mac-AS-debug	~~🧪 wpe-wk2~~	~~🧪 win-tests~~	⏳ 🛠 mac-apple
✅ 🧪 webkitperl	~~🧪 ios-wk2~~	~~🧪 api-mac~~	✅ 🧪 api-wpe		⏳ 🛠 vision-apple
	~~🧪 ios-wk2-wpt~~	~~🧪 api-mac-debug~~	~~🛠 gtk3-libwebrtc~~
	~~🧪 api-ios~~	~~🧪 mac-wk1~~	✅ 🛠 gtk
	~~🛠 ios-safer-cpp~~	✅ 🧪 mac-wk2	~~🧪 gtk-wk2~~
	~~🛠 vision~~	~~🧪 mac-AS-debug-wk2~~	✅ 🧪 api-gtk
	~~🛠 vision-sim~~	✅ 🧪 mac-wk2-stress	~~🛠 playstation~~
	~~🧪 vision-wk2~~	~~🧪 mac-intel-wk2~~
	✅ 🛠 tv	~~🛠 mac-safer-cpp~~
	~~🛠 tv-sim~~
	~~🛠 watch~~
	✅ 🛠 watch-sim

brentfulgham

This is a great change. Thank you for tackling it. I had a few minor nits about variable names and the source of the test cases, but otherwise looks great!

brentfulgham · 2026-04-11T02:00:56Z

 }

-bool ContentSecurityPolicySource::portMatches(const URL& url) const
+bool ContentSecurityPolicySource::portMatches(const URL& url, bool isSchemeUpgrade) const


I'm confused by the name isSchemeUpgrade. Is this a directive that we should upgrade any relevant scheme before comparing? Or does it mean the url being passed in has already BEEN upgraded? Or something else?

Also, we try to avoid bool arguments in favor of class enums.

brentfulgham · 2026-04-11T02:02:32Z

+    ["yes", "script-src 127.0.0.1:8000", "https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js"],
+
+    // Tests that HTTPS URL does not match WSS source expression with HTTP default port (secure scheme, no port upgrade).
+    ["no", "script-src wss://127.0.0.1:8000", "https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js"],


Is this block of new tests something we're merging from upstream WPT? Or did you design these tests yourself?

Custom tests. This bug involves default-port upgrade logic (port 80 vs 443), which requires internals.registerDefaultPortForProtocol() to test for which AFAICT WPT doesn't have an equivalent. The closest WPT test (embedded-enforcement/subsumption_algorithm-host_sources-ports.html) cover the subsumption algorithm, not source matching.

annevk

Also concerned about these not being WPTs.

annevk · 2026-04-11T04:22:57Z

-    auto& scheme = m_scheme.isEmpty() ? m_policy->selfProtocol() : m_scheme;
-    auto urlScheme = url.protocol();
+    // A is the source expression's scheme-part (m_scheme, or selfProtocol if empty).
+    // B is the URL's scheme being checked against the policy.


I don’t think these comments add much.

annevk · 2026-04-11T04:24:51Z

 }

-bool ContentSecurityPolicySource::portMatches(const URL& url) const
+bool ContentSecurityPolicySource::portMatches(const URL& url, bool isSchemeUpgrade) const


Also, we try to avoid bool arguments in favor of class enums.

annevk · 2026-04-11T04:26:18Z

+    // A is the source expression's scheme-part (m_scheme, or selfProtocol if empty).
+    // B is the URL's scheme being checked against the policy.
+    const auto& scheme = m_scheme.isEmpty() ? m_policy->selfProtocol() : m_scheme;
+    const auto urlScheme = url.protocol();


I think our typical style is to not use const for local variables

Also concerned about these not being WPTs.

Testing this bug requires overriding default port mappings via internals.registerDefaultPortForProtocol(), which AFAICT WPT can't do. Maybe there are WPT test servers that run on ports 80/443? Otherwise I'm not sure about feasibility for this to be WPT.

webkit-early-warning-system · 2026-04-13T18:04:05Z

EWS run on current version of this PR (hash 9692000)

Details

Misc	iOS, visionOS, tvOS & watchOS	macOS	Linux	Windows	Apple Internal
✅ 🧪 style	✅ 🛠 ios	✅ 🛠 mac	✅ 🛠 wpe	~~🛠 win~~	⏳ 🛠 ios-apple
✅ 🧪 bindings	✅ 🛠 ios-sim	✅ 🛠 mac-AS-debug	✅ 🧪 wpe-wk2	~~🧪 win-tests~~	⏳ 🛠 mac-apple
✅ 🧪 webkitperl	✅ 🧪 ios-wk2	✅ 🧪 api-mac	✅ 🧪 api-wpe		⏳ 🛠 vision-apple
	✅ 🧪 ios-wk2-wpt	✅ 🧪 api-mac-debug	✅ 🛠 gtk3-libwebrtc
	✅ 🧪 api-ios	✅ 🧪 mac-wk1	✅ 🛠 gtk
	✅ 🛠 ios-safer-cpp	✅ 🧪 mac-wk2	✅ 🧪 gtk-wk2
	✅ 🛠 vision	✅ 🧪 mac-AS-debug-wk2	✅ 🧪 api-gtk
✅ 🛠 🧪 merge	✅ 🛠 vision-sim	✅ 🧪 mac-wk2-stress	✅ 🛠 playstation
	✅ 🧪 vision-wk2	✅ 🧪 mac-intel-wk2
	✅ 🛠 tv	✅ 🛠 mac-safer-cpp
	✅ 🛠 tv-sim
	✅ 🛠 watch
	✅ 🛠 watch-sim

https://bugs.webkit.org/show_bug.cgi?id=308747 rdar://171265255 Reviewed by Brent Fulgham. A CSP source expression such as "frame-src https://host:80" incorrectly matches https://host (port 443). The mismatch (80 ≠ 443) should cause a block, but WebKit has scheme upgrade logic that treats default ports as equivalent during http-to-https transitions. This logic does not verify the source scheme is insecure, so it treats any source with port 80 as upgradable — even when the source scheme is already HTTPS. Have schemeMatches() return a SchemeMatchResult enum that distinguishes exact matches from insecure-to-secure upgrades, and pass this to portMatches() so the upgrade path only fires when a scheme upgrade is actually occurring. This also fixes an edge case with schemeless source expressions. Both functions are annotated with CSP3 spec step references. * LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number-expected.txt: * LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number.html: * LayoutTests/platform/wk2/TestExpectations: * Source/WebCore/page/csp/ContentSecurityPolicySource.cpp: (WebCore::ContentSecurityPolicySource::portMatches const): Canonical link: https://commits.webkit.org/311148@main

webkit-commit-queue · 2026-04-13T23:51:31Z

Committed 311148@main (c82619c): https://commits.webkit.org/311148@main

Reviewed commits have been landed. Closing PR #62322 and removing active labels.

roberto-apple self-assigned this Apr 9, 2026

webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Apr 9, 2026

roberto-apple removed the merging-blocked Applied to prevent a change from being merged label Apr 9, 2026

roberto-apple changed the title ~~CSP: Fix port upgrade logic matching https://host:80 against https://host~~ CSP: Port upgrade matching should only apply to insecure source schemes Apr 9, 2026

roberto-apple force-pushed the eng/308747 branch from 5632161 to e8c0bac Compare April 9, 2026 04:07

roberto-apple force-pushed the eng/308747 branch from e8c0bac to 96a61c8 Compare April 9, 2026 20:31

webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Apr 9, 2026

roberto-apple removed the merging-blocked Applied to prevent a change from being merged label Apr 10, 2026

roberto-apple force-pushed the eng/308747 branch from 96a61c8 to c336b4e Compare April 10, 2026 01:54

roberto-apple force-pushed the eng/308747 branch from c336b4e to 22e46ff Compare April 10, 2026 21:15

roberto-apple force-pushed the eng/308747 branch from 22e46ff to 4842d1d Compare April 10, 2026 22:13

roberto-apple marked this pull request as ready for review April 10, 2026 22:49

roberto-apple requested a review from cdumez as a code owner April 10, 2026 22:49

roberto-apple requested review from annevk and rreno April 10, 2026 22:49

roberto-apple force-pushed the eng/308747 branch from 4842d1d to 2e16ac0 Compare April 10, 2026 22:53

brentfulgham approved these changes Apr 11, 2026

View reviewed changes

annevk reviewed Apr 11, 2026

View reviewed changes

roberto-apple force-pushed the eng/308747 branch from 2e16ac0 to 9692000 Compare April 13, 2026 18:03

roberto-apple added the merge-queue Applied to send a pull request to merge-queue label Apr 13, 2026

webkit-commit-queue force-pushed the eng/308747 branch from 9692000 to c82619c Compare April 13, 2026 23:51

webkit-commit-queue merged commit c82619c into WebKit:main Apr 13, 2026

webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Apr 13, 2026

Conversation

roberto-apple commented Apr 9, 2026 • edited by webkit-early-warning-system Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-early-warning-system commented Apr 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-early-warning-system commented Apr 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-early-warning-system commented Apr 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-early-warning-system commented Apr 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-early-warning-system commented Apr 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

roberto-apple commented Apr 10, 2026

Uh oh!

webkit-early-warning-system commented Apr 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-early-warning-system commented Apr 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

brentfulgham left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

annevk left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

webkit-early-warning-system commented Apr 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

webkit-commit-queue commented Apr 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

roberto-apple commented Apr 9, 2026 •

edited by webkit-early-warning-system

Loading

webkit-early-warning-system commented Apr 9, 2026 •

edited

Loading

webkit-early-warning-system commented Apr 9, 2026 •

edited

Loading

webkit-early-warning-system commented Apr 9, 2026 •

edited

Loading

webkit-early-warning-system commented Apr 10, 2026 •

edited

Loading

webkit-early-warning-system commented Apr 10, 2026 •

edited

Loading

webkit-early-warning-system commented Apr 11, 2026 •

edited

Loading

webkit-early-warning-system commented Apr 11, 2026 •

edited

Loading

webkit-early-warning-system commented Apr 13, 2026 •

edited

Loading