Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Arguments
Applicant's arguments filed 07/23/2021 have been fully considered but they are not persuasive. 
Applicant argues: “Khait does not describe any augmentation to a response that causes the client computer to report information back to the proxy access service. Khait cannot teach or suggest “the first response including the first network resource and a content tracker that causes the first client device to report information on one or more additional network resources that are identified when the first client device interprets the first network resource” as required by claim 1. (Remarks pg. 11)”
At the outset, there is no requirement in the claim that the client computer “report information back to the proxy access service” as Applicant argues. The claims merely require reporting information on one or more network resources identified. The augmentation in Khait teaches, in one example (Paragraph [0049]) teaches comprising a message concerning action that was blocked by the proxy access service. Therefore Khait teaches “report information on one or more additional network resources that are identified” as claimed.


The Examiner respectfully disagrees. Paragraph [0027] teaches “only allowing execution of script from specified sources.” Therefore Shekyan teaches “at least one of a source and a type of network resource that the second client device can access.”
The remaining arguments are derived from the above and unpersuasive for a similar rationale. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-30 is/are rejected under 35 U.S.C. 103 as being unpatentable over Khait (US 2020/0128085) in view of Shekyan (US 2016/0094575)


Regarding Claim 1,


receiving from a first client device a first request for a first network resource, wherein the first client device is authenticated (Paragraph [0033] teaches receiving a request for a resource and authenticating the user); 
retrieving the first network resource; transmitting a first response to the first client device (Paragraph [0037] teaches proxy service generate response and sending to web browser), the first response including the first network resource and a content tracker that causes the first client device to report information on one or more additional network resources that are identified when the first client interprets the first network resource(Paragraph [0037] response may be augmented by proxy access service based on control policies)(Figure 5, 512 teaches command to create a cookie on client device)(Paragraph [0050] teaches additional network resource)
receiving, from a second client device, a second request for the first network resource; and transmitting a second response to the second client device (Paragraph [0034] teaches the method may be performed by users of client devices in an organization), Khait does not explicitly teach wherein the second response including the first network resource and a content security policy that is determined based on the information on the one or more additional network resources, wherein the content security policy identifies at least one of a source and a type of a network resource that the second client device can securely access when interpreting the first network resource.
(Paragraph [0027] teaches a content security policy that is determined based on the identity and source of a script)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the augmented control policy of Khait with the content security policy of Shekyan 
The motivation is to prevent security vulnerabilities (Paragraph [0001] of Shekyan)

Regarding Claim 2,

Khait and Shekyan teaches the method of claim 1. Shekyan teaches wherein the content security policy identifies the one or more additional network resources as network resources that the second client device is allowed to access when interpreting the first network resource (Paragraph [0027] teaches allows execution of script from specified sources)

Regarding Claim 3,

Khait and Shekyan teaches the method of claim 1. Khait teaches wherein the content tracker includes a location at which the information on the additional network resources is to be transmitted by the first client device (Paragraph [0050] teaches downloading additional web content form a different location).

Regarding Claim 4,

Khait and Shekyan teaches the method of claim 1. Khait teaches wherein the content tracker is an initial content security policy that is to be enforced by the first client device when the first client device interprets the first network resource (Paragraph [0037] response may be augmented by proxy access service based on control policies)(Figure 5, 512 teaches command to create a cookie on client device)(Paragraph [0050] teaches additional network resource). Shekyan teaches the content security policy is a new content security policy determined based on the information on the one or more additional network resources that are identified when the first client device interprets the first network resource and enforces the initial content security policy (Paragraph [0027] teaches a content security policy that is determined based on the identity and source of a script).

Regarding Claim 5,

Khait and Shekyan teaches the method of claim 4. Khait teaches wherein the initial content security policy causes the first client device to report the one or more additional network resources accessed by the first client device when the first client device interprets the first network resource, and wherein the initial content security policy does not cause the first client device to block the one or more additional network resources (Paragraph [0050] teaches downloading additional network resource)

Regarding Claim 6,

Khait and Shekyan teaches the method of claim 4. Khait teaches wherein the initial content security policy causes the first client device to report and block the one or more additional network resources accessed by the first client device when the first client device interprets the first network resource (Paragraph [0054] teaches resource is blocked).

Regarding Claim 7,

Khait and Shekyan teaches the method of claim 1. Khait teaches wherein the content tracker includes code injected in the first network resource to track the additional network resources that are accessed when the first client device interprets the first network resource (Figure 5, 512 teaches command to create a cookie on client device)(Paragraph [0050] teaches additional network resource)..

Regarding Claim 8,

Khait and Shekyan teaches the method of claim 1. Shekyan teaches wherein transmitting the first network resource includes: removing inline code from the first network resource; storing the inline code in an external file at a first location; and adding the first location to the first network resource to allow for tracking the code by the content tracker (Paragraph [0027] teaches modifying inline script so the script would no longer be inline).

Regarding Claim 9,

Khait and Shekyan teaches the method of claim 1. Khait teaches the method of claim 1, wherein an additional network resource from the additional network resources is identified when a request for the additional network resource is transmitted from the first client device when interpreting the first network resource (Paragraph [0050] teaches downloading additional web content from an additional location)

Regarding Claim 10,

Khait and Shekyan teaches the method of claim 1. Shekyan teaches determining one or more directives of a Hypertext Transport Protocol (HTTP) content security policy (CSP) header based on the content security policy; and wherein the transmitting the second response includes transmitting the HTTP CSP header including the one or more directive with the first network resource to cause the second client device to enforce the content security policy (Paragraph [0027, 0029] teaches HTTP CSP headers)

Regarding Claims 11-20,

Claims 11-20 are similar in scope to Claims 1-10 and are rejected for a similar rationale.



Regarding Claims 21-30,

Claims 21-30 are similar in scope to Claims 1-10 and are rejected for a similar rationale.

Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARRIS C WANG whose telephone number is (571)270-1462.  The examiner can normally be reached on M-F 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HARRIS C WANG/Primary Examiner, Art Unit 2439