10523 2010-09-01 12:40:08 +0000 Scripting disabled check should happen after setting 'already started' 2010-10-04 14:29:51 +0000 1 1 1 Unclassified HTML WG pre-LC1 HTML5 spec (editor: Ian Hickson) unspecified All All RESOLVED FIXED P1 critical --- 1 hsivonen ian ian mike public-html-admin public-html-wg-issue-tracking public-html-bugzilla oldest_to_newest 38371 0 hsivonen 2010-09-01 12:40:08 +0000 Gecko checks for user-set (pref), author-set (CSP) script and Web platform feature-required script disablement after setting 'already started'. Please reorder the spec steps to match. 38372 1 hsivonen 2010-09-01 12:44:23 +0000 This also covers the script block type check in the same step. 39400 2 ian 2010-09-25 19:57:42 +0000 What does "Web platform feature-required script disablement" mean? Why would we want to check the language after setting "already started"? Keeping it before means you can insert a script with one type, then insert it again with another type, and it'll only execute once (the first type the browser supports). Not that this is hugely helpful, but what's the advantage of the opposite? What do other browsers do? Gecko is not the only browser, that Gecko does something is not an argument to change the spec any more than WebKit doing something. We have to check multiple browsers for existing browser implementation to be an argument one way or the other. I've moved the policy check to after the setting of "already started" since that seems like a security win. EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Partially Accepted Change Description: see diff given below Rationale: see above 39401 3 contributor 2010-09-25 19:59:42 +0000 Checked in as WHATWG revision r5499. Check-in comment: Make policy checks for <script> happen after the flag is set that prevents the script from being run again, so that if somehow an attacker causes a document to be reinserted somewhere that has scripts enabled, the scripts still won't run. http://html5.org/tools/web-apps-tracker?from=5498&to=5499