Hashes are generally much better than nonces, especially for static assets. They ensure that the contents of the allowed resource are exactly what they're supposed to be. They're quite trivial to generate for static resources, though it should be possible to generate them for dynamic resources too.
Of course, I don't for a moment wish to excuse the behavior of patent-trolling companies like Datawing. I hope that the combined weight of Google, Mozilla, and the EFF can nip this in the bud.
this is borderline hilarious, 2021 we get patent trolls wanting to penalize site owners for implementing web security best practices to protect their end users?
it's like suing car manufacturers for installing seatbelts on their vehicles, lmao.
> it's like suing car manufacturers for installing seatbelts on their vehicles, lmao.
I’m not sure you’re aware but Volvo patented the three-point seatbelt in use even to this day and gave the R&D and licence for the patent to their competitors because it was for the greater good. An interesting aside :)
I hope this gets taken to court and this company gets shut down. I'm not a patent (or any other kind of) lawyer but I do hold a couple of patents and I feel some confidence reading it, that CSP would not be held to breach this patent for a couple of reasons:
Firstly the patent describes a method of preventing cross-site scripting attacks by using preshared secrets which it describes throughout as passwords. A client-side "filter" is described in the invention, which disables "untrusted" sources unless they know the secret. The owner of a site turning on CSP can't possibly be violating the patent because the filtering in both the invention and the real CSP implementation happens at the client. The patent would have to cover the method of generating or publishing the nonces for the site owner to be in violation. If anyone is violating the patent (and I don't believe anyone is) it would be the people who make browsers which use the CSP headers to decide whether or not to execute script code.
It also describes various systems ("unsafe function" rewriting, etc) which don't exist in CSP and instead focuses purely on the idea that a nonce is a preshared secret password which can be checked by a "filter" on the client side.
4 comments
[ 2.4 ms ] story [ 20.1 ms ] threadOf course, I don't for a moment wish to excuse the behavior of patent-trolling companies like Datawing. I hope that the combined weight of Google, Mozilla, and the EFF can nip this in the bud.
it's like suing car manufacturers for installing seatbelts on their vehicles, lmao.
I’m not sure you’re aware but Volvo patented the three-point seatbelt in use even to this day and gave the R&D and licence for the patent to their competitors because it was for the greater good. An interesting aside :)
Firstly the patent describes a method of preventing cross-site scripting attacks by using preshared secrets which it describes throughout as passwords. A client-side "filter" is described in the invention, which disables "untrusted" sources unless they know the secret. The owner of a site turning on CSP can't possibly be violating the patent because the filtering in both the invention and the real CSP implementation happens at the client. The patent would have to cover the method of generating or publishing the nonces for the site owner to be in violation. If anyone is violating the patent (and I don't believe anyone is) it would be the people who make browsers which use the CSP headers to decide whether or not to execute script code.
It also describes various systems ("unsafe function" rewriting, etc) which don't exist in CSP and instead focuses purely on the idea that a nonce is a preshared secret password which can be checked by a "filter" on the client side.