Datawing sent several letters to small businesses this month claiming to own one UK and one US patent on the content security policy (CSP) mechanism. CSP protects site visitors from cross-site scripting (XSS) attacks and similar exploits that steal data and hijack accounts. The cryptographic nonce [number-used-once] feature of CSP to stop unauthorised scripts from running.
William Coppock said that he didn’t intend any harm to come to anyone and he would probably just sell or give the thing to Mozilla.
He denied to the press he was a patent troll. A law firm had checked over the letter and the "patent infringement outline" document before he sent them, he claimed. Coppock also apologised to all who received his letters and urged them to contact him if they had any questions about it.
The letter claimed "our patent has been widely overlooked by companies since the inception of CSP 2.0 in 2014", advertised Datawing's Scriptlock product which "augments CSP 2.0 with new features which greatly reduce the cost of adding CSP support to existing websites," and suggested that if companies weren't interested in Scriptlock, they should "obtain a licence to work the patent".
Coppock told The Rogister he was "not sure if I can be bothered" to try to enforce his decade-old patent. He accepted that CSP has been baked into the main two browser engines for years and did not suggest, when asked, that he had made any serious effort to enforce the patent against anyone until his most recent batch of 25 letters sent to companies whose websites had CSP 2.0 nonces enabled.