Thank you for your kind comment.
I have a deep respect for the idea that the late Gervase Markham had in 2005, but as far as can be told from his blog post and subsequent internal communications in W3C, his idea was abandoned and not put into practice. It seems it was abandoned for the same reason that nobody has heard of Scriptlock until now. The world wasn't ready for it.
I came up with Scriptlock independently of his idea. My original idea was to see if I could protect against XSS in then current browsers by using JavaScript itself to rewrite JavaScript. As the idea developed I found myself needing to add things in like the password, a server side component, etc. until I had a working prototype, which yes, save for the fact that it does it using JavaScript, does exactly the same job as the CSP nonce.
Indeed the invention can emulate the CSP nonce in IE10/IE11. So what proof do you need?
It was a very exciting development. I felt that using a password to authorise the execution of JavaScript in a webpage was going to revolutionise website security and make the internet a more secure place, so I patented it. My very good patent attorneys asked me to conceive of other ways in which it could be done and to create a generalised model, explaining that if you invent a table that extends using flaps and nobody has invented a table before then you claim: a table, a table with legs, a table that extends etc. So that your patent can't be circumvented by doing things slightly differently.
Unfortunately, just like nobody was interested in Gervase's idea. Nobody was interested in my invention. In 2012 I wrote to several of the big companies after my patent was published to see if they wanted to use the product. I got no reply.
The problem was that CSP1.0 had come along with its white listing techniques and the world had gone stir crazy with moving JavaScript into external script files. The mere mention of inline events became an absolute taboo. So there seemed to be no future for something that promoted inline script and inline events. In fact I remember contacting someone on the now defunct ha.ckers.org website, whose response was, “Interesting…But what does this achieve that CSP[1.0] white listing does not?”.
Disheartened I let the idea go and went back to my day job, though I kept the website up all this time.
No, we can't use what we know now to change history: In 2011 nobody practicing the art of computer security believed that embedding a password in plain text into a web page could in any way add to the security of the page. So, as far as can be told, nobody put it into practice. Two different patent examiners agreed. In 2011 I showed it could be done within the browsers available at the time and that it did work. Heck, the original version worked in IE9!
As to my motives to do something now:
I am a 45 year old father of six children, two of whom have disabilities, one very severe. 18 months ago I was diagnosed with a rare combination of cancers (Thyroid cancer and Lymphoma), which has left me struggling to function every day.
For the last six years I have had to watch on as the biggest companies in the world use what looks like my patent… and now I’m struggling to support them and I can’t do anything about it.
The patent system was devised to protect small inventors like me. But to small inventors patents are worthless. It costs millions of pounds to enforce them and in this case would entail me going up against the biggest companies in the world, which I find a terrifying prospect.
It was my hope to be able to revive my invention and build up a business based on it with the view that maybe one day I might have the financial strength to address the bigger problem. My letter was simply to seek the support of people benefiting from this invention with a voluntary contribution. I made a gross error in judgement with my approach and choice of words. Sorry.
I have offered to pay any costs they incurred getting legal advice.
The fights been knocked out of me by this cancer, so as I said to Gareth, I'm not sure I can be bothered.
There is a voluntary scheme in place on my website if anyone does want to contribute.
William