Reply to post: Re: The law is clear

Brit says sorry after waving around nonce patent and leaning on sites to cough up

William Coppock

Re: The law is clear

Gerv's blog 2005 post isn't detailed enough to count as prior art because there is not enough information to put the idea into practice, even when combined with other ideas. Even he says in the opening line that it's an idea. An idea is akin to the claims in a patent. Not the actual detail.

The comments section in the blog shows that it raises more questions than it answers and several posts shoot holes in his idea. For example Luke asks a question and Vi assumes the answer: that the script key is protected by the fact that Javascript cannot run without the key. But this fails to acknowledge that there is a trust/untrust boundary issue with the entire scripting environment and that you actually need to take measures to obscure the script key from untrusted script, whether it be other JavaScript or HTML, because execution is not just coming from the JavaScript. If I recall, even the first production release of CSP nonce got this wrong. It didn't obfuscate the nonce from the DOM. The answer to his boundary issue is discussed at length in my patent and makes its way into both the server and client side components. The boundary issues created by a plain text nonce are very different from the boundary issues relating to other methods so you can't guess the solution from other related ideas such as BEEB, which is based on hashes.

Another issue not discussed is the conveying of trust and/or protection to newly created ancillary portions of the scripting environment, such as IFRAMES or SCRIPT tags created with createElement. This is akin to the problem only recently solved by the addition of strict-dynamic to CSP nonce, ten years after my patent. My patent describes the problem and process of solving it.

These are just two examples of things that even if my Claim 1 was debunked, the remaining claims would remain intact and still describe many of the methods needed to implement the CSP nonce successfully.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon