I turned on CSP and all I got was this crappy lawsuit!

scotthelme.co.uk
6 min read
fairly easy
Yes, you did read that right. It turns out that enabling CSP on your website, specifically CSP nonces, is enough for you to get threatening letters about patent infringement! I've heard of people getting in trouble for some pretty absurd things, but turning on a security feature built into a web browser, well that's top of the list. Content Security Policy Everyone knows I'm a huge fan of Content Security Policy [https://scotthelme.co.uk/content-security-policy-an-introduction/], which is a p
Yes, you did read that right. It turns out that enabling CSP on your website, specifically CSP nonces, is enough for you to get threatening letters about patent infringement! I've heard of people getting in trouble for some pretty absurd things, but turning on a security feature built into a web browser, well that's top of the list.

Content Security Policy

Everyone knows I'm a huge fan of Content Security Policy, which is a powerful feature built into modern web browsers to offer websites the ability to better protect their users. This feature has been built into Chrome, Firefox, Edge and even Internet Explorer, alongside many other browsers! I event went so far as to found a company that does CSP reporting and Report URI ingests reports from countless websites that use CSP nonces.

CSP nonces were an addition to CSP in version 2 that came out in 2016 and I've written about them since then too with support in Nginx and my Cloudflare Worker. It seems that there's a company out there that feels you shouldn't be able to freely turn on this feature, built into basically every web browser out there now, without having to pay some kind of license fee, something I find absolutely mind boggling.

ScriptLock

ScriptLock is a product from a company called Datawing who are responsible for sending out the letters about patent infringement. I'm no lawyer, that's for sure, so I can't comment on the veracity of the claims in the following documents, but I can share them here for you to browse through. The UK patent is GB2496107 and the US patent is 8959628 and here's the letter that I know at least a handful of site operators have now received:

https://drive.google.com/file/d/1p63IJ6XyAJdNsl20HJ2XTm6Es5Gc1-80/view?usp=sharing

It also links to this document which is the "Patent Infringement Outline":

https://drive.google.com/file/d/12yXB1o64IxsLvwjznuYQNwyG7tT3bxnZ/view?usp=sharing

The letter outlines five groups of companies that are of concern but it's an awfully…
Scott Helme
Read full article