This also covers the script block type check in the same step.

What does "Web platform feature-required script disablement" mean?

Why would we want to check the language after setting "already started"? Keeping it before means you can insert a script with one type, then insert it again with another type, and it'll only execute once (the first type the browser supports). Not that this is hugely helpful, but what's the advantage of the opposite?

What do other browsers do? Gecko is not the only browser, that Gecko does something is not an argument to change the spec any more than WebKit doing something. We have to check multiple browsers for existing browser implementation to be an argument one way or the other.

I've moved the policy check to after the setting of "already started" since that seems like a security win.


EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Partially Accepted
Change Description: see diff given below
Rationale: see above

Checked in as WHATWG revision r5499.
Check-in comment: Make policy checks for <script> happen after the flag is set that prevents the script from being run again, so that if somehow an attacker causes a document to be reinserted somewhere that has scripts enabled, the scripts still won't run.
http://html5.org/tools/web-apps-tracker?from=5498&to=5499