Yes, you did read that right. It turns out that enabling CSP on your website, specifically CSP nonces, is enough for you to get threatening letters about patent infringement! I've heard of people getting in trouble for some pretty absurd things, but turning on a security feature built into a web browser, well that's top of the list.
Content Security Policy
Everyone knows I'm a huge fan of Content Security Policy, which is a powerful feature built into modern web browsers to offer websites the ability to better protect their users. This feature has been built into Chrome, Firefox, Edge and even Internet Explorer, alongside many other browsers! I even went so far as to found a company that does CSP reporting and Report URI ingests reports from countless websites that use CSP nonces.
CSP nonces were an addition to CSP in version 2 that came out in 2016 and I've written about them since then too with support in Nginx and my Cloudflare Worker. It seems that there's a company out there that feels you shouldn't be able to freely turn on this feature, built into basically every web browser out there now, without having to pay some kind of license fee, something I find absolutely mind boggling.
ScriptLock is a product from a company called Datawing who are responsible for sending out the letters about patent infringement. I'm no lawyer, that's for sure, so I can't comment on the veracity of the claims in the following documents, but I can share them here for you to browse through. The UK patent is GB2496107 and the US patent is 8959628 and here's the letter that I know at least a handful of site operators have now received:
It also links to this document which is the "Patent Infringement Outline":
The letter outlines five groups of companies that are of concern but it's an awfully long-winded way of saying "everyone":
- W3C, who devised the CSP2.0 “nonce” standard. Noting that W3C is a consortium of the browser manufacturers.
- The individual browser manufacturers, who have incorporated support for the CSP2.0 "nonce" into their browsers.
- The companies producing server side technology (web server manufacturers or web platform providers) that supports the CSP2.0 "nonce".
- The Internet service providers who provided website builders or a managed web platform that provides the CSP2.0 "nonce" to their customers.
- The companies owning or running websites that may with or without their knowledge be providing the CSP2.0 "nonce" to the benefit of their website users.
So far I only know about people receiving these letters being in group five, which is probably the group with the least budget to fight this, but I sure can't wait for Datawing to take on groups one and two and see what happens! I'm sure the likes of Google and Mozilla will have something to say about that.
Sites using a CSP nonce
Regular readers will know about my Crawler.Ninja project that scans the top 1 million sites in the world every day and produces data about their security. Whilst I provide a brief analysis every day, I can also go back and query the data for any particular day, like today, in more detail.
SELECT rank,hostname,`content-security-policy`,`content-security-policy-report-only` FROM `results` WHERE `content-security-policy` LIKE '%nonce%' OR `content-security-policy-report-only` LIKE '%nonce%'
You can see the results of that query here, but there are a total of 1,409 sites using a valid CSP or CSPRO header with a nonce on their landing page! Looking at the top 10, there are quite a few big names in there.
twitter.com pinterest.com zoom.us tumblr.com dropbox.com paypal.com bbc.co.uk forms.gle booking.com google.cn
I wonder if they've all had their letters yet?
Have you had a letter?
If you have, feel free to reach out to me and I'd be happy to include you in the group of sites willing to stand and take action against this with the
EFF (Update: legal support will be provided by the Public Interest Patent Law Institute!). I haven't yet received a letter myself but I do operate websites that use CSP nonces, so perhaps it is yet to come. I'm also not sure if you could argue that Report URI falls into category 3 above. Regardless, I feel this is absurd and will be happy to put time and effort into bringing this to a swift end with anyone else that's willing.
Looking at Scriptlock and the patent more closely
I will keep this section updated with any interesting points that arise, but I've had a look through the letters and the patent and found some interesting points already that I've outlined below. If anyone would like to have a read through these documents and raise additional points, please drop them in the comments below and I will update the post accordingly. One thing that I find particularly interesting is the attempt to apply the wording of the patent to how CSP nonces work!
It also seems like if you use their Scriptlock product, you either need to call back to their hosted service on each page load or host your own service for the JS to call back to. I'm yet to dig into it further but it seems like it has the potential to be a weak link in the chain if that service were to become unavailable or respond slowly.
This patent had lapsed and was restored in May 2021:
My understanding is that there is a period of time when the patent was not enforced and if you enabled CSP nonces during this time, maybe it doesn't apply to you?
Patent Infringement Outline §1.6, their example console error message:
Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' data: gap: http://www.visitsingapore.com https://ssl.gstatic.com 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-V+/U3qbjHKP0SaNQhMwYNm62gfWX4QHwPJ7We1PXokI='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
This is an exact copy of the console error message given in this StackOverflow question from 2017, with an answer that was modified 2 weeks ago:
The company changed their name from CLIQUECLOUD LIMITED to DATAWING LIMITED in Oct 2020:
On their last financial statement, DATAWING LIMITED had £4,753 cash in the bank:
This doesn't seem like a particularly large amount of money to start legal proceedings with.
The letter explains that a nonce is a one-time password and links to a Wikipedia article that doesn't seem to say that.
The letter refers to a nonce as a "password" throughout, so I'm guessing this is perhaps important for their patent to be able to apply. They refer to a nonce as a password before the term nonce is even used in the letter.
They use the term password 36 times throughout the letter.
The CSP 2 RFC does not contain the word "password".
I have now got a copy of the Scriptlock Integration Guide:
This section will be updated with more information as it arises.
I think this article from The Register sums it up well, a victory!!! Datawing have reconsidered their action and will no longer be pursuing websites for money if they use CSP nonces 💪