Brit says sorry after waving around nonce patent and leaning on sites to cough up

Using that CSP 2.0 feature? You may have received a worrying missive


The director of a tiny UK company has apologised after sending letters to businesses suggesting they had infringed his patents that he claimed covered an age-old web standard.

The tech in question is the content security policy (CSP) mechanism that websites use to protect their visitors from cross-site scripting (XSS) attacks and similar exploits that steal data and hijack accounts. Specifically, the cryptographic nonce feature of CSP to stop unauthorized scripts from running.

Datawing Ltd sent a number of letters to small businesses this month claiming to own one UK and one US patent on CSP and its use of a nonce. After an initial wave of alarm and outrage on Twitter when the letters surfaced, The Register tracked down their author: a penitent William Coppock.

When asked if he was chancing his arm by sending the letters, Coppock immediately said: "Probably, I don't know. I hope people don't see me as a patent troll."

Public attention was first drawn to Datawing's letters by internet hacker Scott Helme, who told El Reg: "It's a bit worrying if turning on a security feature provided by the web browser can get you into trouble."

Coppock's letter to the businesses read:

I am writing to you because you are the proprietor of a website making use of a Content Security Policy Level 2.0 (CSP 2.0) feature, known as the "nonce", which prevents the unauthorised execution of JavaScript in web browsers.

It has come to our attention that this important security feature is an embodiment of an invention devised by myself in 2011, more than two years prior to the publication of the CSP 2.0 standard.

The letter claimed "our patent has been widely overlooked by companies since the inception of CSP 2.0 in 2014," advertised Datawing's Scriptlock product which "augments CSP 2.0 with new features which greatly reduce the cost of adding CSP support to existing websites," and suggested that if companies weren't interested in Scriptlock, they should "obtain a licence to work the patent."

"Technical information is enclosed with instructions for how to register with us and license fees," it concluded.

What's a CSP nonce?

CSP works by limiting what resources a browser can load when it fetches a page. "With a few exceptions, policies mostly involve specifying server origins and script endpoints," Mozilla explained in a developer document about CSP.

Microsoft said the CSP nonce is "a cryptographically strong random value generated on each page load that appears in both the CSP policy and in the script tags in the page. Using nonces can help to minimize maintaining a list of allowed source URL values, while also allowing trusted script declared in script elements to run."

Can you say prior art?

A website administrator for one of the companies Coppock targeted, and who asked not to be named, told The Register: "The recipients are very concerned. Additionally we as the web developers, being security conscious, were trying to implement good security standards for our customers."

Others spoke to Helme, who documented his own investigation into the affair and asked questions on Twitter about Datawing's claims. Some of the replies were quite instructive.

For instance, this tweet linked to software engineer Gervase Markham's idea of script keys, designed – like CSP – to thwart XSS attacks.

Markham, who worked for Firefox-maker Mozilla and died in 2019, also described a randomisation feature to ensure his mechanism couldn't be easily bypassed by malicious scripts: in other words, a cryptographic nonce as used in CSP 2.0.

His 2005-era blog post therefore describes the essential features of Coppock's UK patent 2,496,107, which was filed in 2011 and granted in 2013. Coppock was granted its US counterpart, 8,959,628, in 2015. In his paperwork, the nonce is described as a password.

'Not sure I can be bothered'

Coppock told El Reg he was "not sure if I can be bothered" to try to enforce his decade-old patent. He accepted that CSP has been baked into the main two browser engines for years and did not suggest, when asked, that he had made any serious effort to enforce the patent against anyone until his most recent batch of 25 letters sent to companies whose websites had CSP 2.0 nonces enabled.

"What a stupid plonker, all I've done," he sighed, adding that he has six children and has been diagnosed with cancer. Applying for the UK and US patents cost him his "life savings," he said, adding: "I didn't intend any harm to come to anyone. Maybe I've just got to sell or give this thing to Mozilla."

Whether Coppock's motivation was to draw attention to what he described as his "homebrew talent" or to make money out of companies that paid up rather than challenge his claims, he denied to The Register that he was a patent troll. A law firm had checked over the letter and the "patent infringement outline" document before he sent them, he claimed.

Coppock also apologised to all who received his letters and urged them to contact him if they had any questions about it.

We have asked the law firm Coppock named for comment on the advice he says it gave him and will update this article if we hear back from it.

The company director also confirmed he was aware of the Intellectual Property (Unjustified Threats) Act 2017, which makes it a civil offence to send unjustifiable threats of patent lawsuits. While the Datawing letters did not explicitly threaten legal action if companies ignored them, and so do not appear to fall within section 1 of the act, some people were so worried by them they sought legal advice.

Patent trolling is the practice of a non-trading entity buying up patents and then trying to enforce them through the courts to guarantee a revenue stream. The practice hobbles legitimate value-creating businesses to the point that global networks were formed to fight against patent trolling. Not, we think, that an English court would have entertained Coppock's patent assertions for very long. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021