Remarks
Claims 1-10 and 21 are pending.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 1/6/2022 have been fully considered but they are not persuasive.
Applicant alleges “Without waiver of any of Applicant’s prior arguments, the following underscored subject matter is not accounted for in the Persson-Connor-Call combined teachings:” followed by 11 lines from claim 1 and all words from claim 21.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  The combination of Persson in view of Conner and Call discloses the argued 14 lines of claims 1 and 21 as follows:
Persson discloses ...
...
Intercepting, by the DOM virtualization client, an attempt to use a DOM API by one or more scripts running on the web browser (Exemplary Citations: for example, Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; portion of aggregated web application intercepting request for access to a DOM resource via an API, for example.  Please also see the above-noted Applicant admitted prior art);
For each intercepted attempt to use a DOM API by a particular script of the one or more scripts, and based on type of usage of the DOM API, selecting, by the DOM virtualization client, a DOM API ACL from a set of DOM API ACLs (Exemplary Citations: for example, Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; determining whether to allow or deny access by mapping the DOM structure, resources, domains, etc. to an ACL based FS, and then making a determination using the ACL based FS, for example); and
Restricting, by the DOM virtualization client, based on the selected DOM API ACL, the usage of the DOM API by the particular script according to its associated DOM API ACL (Exemplary Citations: for example, Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; granting or denying access based on identity of requestor and requestee, for example.  Please also see the above-noted Applicant admitted prior art);
...
Conner ... discloses ...
...
Intercepting, by the DOM virtualization client, an attempt to use a DOM API by one or more scripts running on the web browser (Exemplary Citations: for example, Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, 39-48, and associated figures; intercepting request, for example.  Please also see the above-noted Applicant admitted prior art);
For each intercepted attempt to use a DOM API by a particular script of the one or more scripts, and based on type of usage of the DOM API, performing a function (Exemplary Citations: for example, Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, 39-48, and associated figures)...
Call ... discloses that each DOM API ACL is distinct and configured for a particular API operation, and wherein at least one DOM API ACL is generated at the server based on prior web browser interactions with the webpage file (Exemplary Citations: for example, Paragraphs 31-39, 42, 44-46, 51, 56-59, 77, 80-82, claim 7, and associated figures; ACL for a particular API, which is configured based on API calls for the webpage, for example)...
Persson as modified by Conner and Call discloses the method of claim 1, in addition, Persson as modified by Conner and Call discloses that the webpage file is a login page and the DOM API ACL generated by the server restricts access of different user inputs on the login page only to a web application and its associated scripts (Persson: Exemplary Citations: for example, Abstract; Figures 3A, 5A, 7A, and 8A; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; Conner: Exemplary Citations: for example, Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, 39-48, and associated figures; Call: Exemplary Citations: for example, Paragraphs 31-39, 42, 44-46, 51, 56-59, 61, 77, 80-82, claims 7 and 29, and associated figures; user access is restricted for the web page and application associated therewith, where webpage is a login page in which a username and password can be input, as in Call, for example).  
Therefore, the prior art clearly discloses the subject matter that Applicant generally alleges is not found therein.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 6-10, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Persson (U.S. Patent Application Publication 2010/0235885) in view of Conner (U.S. Patent Application Publication 2015/0163087) and Call (U.S. Patent Application Publication 2016/0057107).  
Regarding Claim 1,
Persson discloses a method comprising:
Receiving by a computing device a request for a webpage file from a web browser running on a device (Exemplary Citations: for example, Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; webpage file request from browser, for example);
Forming a modified webpage file by the computing device based on the requested webpage file, including by injecting a DOM virtualization client into the webpage file to form the modified webpage file, wherein the injecting of the DOM virtualization client into the webpage file comprises adding Javascript client code in the webpage file, and wherein the DOM virtualization client includes a virtualization engine configured to access and manipulate a DOM tree (Exemplary Citations: for example, Abstract; Figures 3A, 5A, 7A, and 8A; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; scripts provided in head sections of web pages, including first scripts within head sections, where the web page is loaded by the web browser, for example.  It is also noted that Applicant has admitted that this is prior art.  For example, on pages 9-10 of the response dated 9/18/2019, Applicant admits that “one reasonably skilled in the art will be able to program the edge server to generate and inject the appropriate JavaScript code accordingly without undue experimentation.  One reasonably skilled in the art will be able to write code that runs on the edge server to generate and inject the appropriate JavaScript code that is inserted into the head section of the HTML webpage file to form the modified webpage file.  Writing code that writes code is well-known mechanism.  For example, it is well-known in the arts that compilers may be used to parse an original set of code that is in one programming language and generate new code that is in another programming language based on the original set of code.  Here, the edge server is programmed to parse a received HTML webpage file.  The edge server is further programmed to generate the code that implements all the steps of the processes that need to be performed by the DOM virtualization client based on the parsed content, inject the generated code into a new modified webpage file, and send the modified webpage file to the web browser.”  Thus, Applicant has admitted that forming and injecting of a DOM virtualization client are well known including the functionality performed thereby);
The computing device sending the modified webpage file, instead of the requested webpage file, to the web browser (Exemplary Citations: for example, Abstract; Figures 3A, 5A, 7A, and 8A; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; sending the webpage file, for example.  Please also see the above-noted Applicant admitted prior art);
Intercepting, by the DOM virtualization client, an attempt to use a DOM API by one or more scripts running on the web browser (Exemplary Citations: for example, Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; portion of aggregated web application intercepting request for access to a DOM resource via an API, for example.  Please also see the above-noted Applicant admitted prior art);
For each intercepted attempt to use a DOM API by a particular script of the one or more scripts, and based on type of usage of the DOM API, selecting, by the DOM virtualization client, a DOM API ACL from a set of DOM API ACLs (Exemplary Citations: for example, Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; determining whether to allow or deny access by mapping the DOM structure, resources, domains, etc. to an ACL based FS, and then making a determination using the ACL based FS, for example); and
Restricting, by the DOM virtualization client, based on the selected DOM API ACL, the usage of the DOM API by the particular script according to its associated DOM API ACL (Exemplary Citations: for example, Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; granting or denying access based on identity of requestor and requestee, for example.  Please also see the above-noted Applicant admitted prior art);
But does not explicitly disclose that a server receives the request for the webpage file, that forming the modified webpage file is performed by the server, that sending is performed by the server, wherein each DOM API ACL is distinct and configured for a particular API operation, and wherein at least one DOM API ACL is generated at the server based on prior web browser interactions with the webpage file.  
Conner, however, discloses receiving by a server a request for a webpage file from a web browser running on a device (Exemplary Citations: for example, Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, 39-48, and associated figures; request, for example);
Forming a modified webpage file by the server based on the requested webpage file, including by injecting a DOM virtualization client into the webpage file to form the modified webpage file, wherein the injecting of the DOM virtualization client into the webpage file comprises adding Javascript client code in the webpage file, and wherein the DOM virtualization client includes a virtualization engine configured to access and manipulate a DOM tree (Exemplary Citations: for example, Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, 39-48, and associated figures; first script corresponds to the DOM virtualization layer since it takes care of at least the interception, for example.  Please also see the above-noted Applicant admitted prior art);
The server sending the modified webpage file, instead of the requested webpage file, to the web browser (Exemplary Citations: for example, Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, 39-48, and associated figures; sending the above to the client/browser, for example.  Please also see the above-noted Applicant admitted prior art);
Intercepting, by the DOM virtualization client, an attempt to use a DOM API by one or more scripts running on the web browser (Exemplary Citations: for example, Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, 39-48, and associated figures; intercepting request, for example.  Please also see the above-noted Applicant admitted prior art);
For each intercepted attempt to use a DOM API by a particular script of the one or more scripts, and based on type of usage of the DOM API, performing a function (Exemplary Citations: for example, Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, 39-48, and associated figures).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention and before the effective filing date of the instant invention to incorporate the transparent interception techniques of Conner into the web application aggregation system of Persson in order to allow the system to optimize resource requests, control network traffic for optimized resources, provide for a graceful fallback in the event of problems, and/or increase the usability of the system.  
Call, however, discloses that each DOM API ACL is distinct and configured for a particular API operation, and wherein at least one DOM API ACL is generated at the server based on prior web browser interactions with the webpage file (Exemplary Citations: for example, Paragraphs 31-39, 42, 44-46, 51, 56-59, 77, 80-82, claim 7, and associated figures; ACL for a particular API, which is configured based on API calls for the webpage, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the ACL techniques of Call into the web application aggregation system of Persson as modified by Conner in order to allow the system to take into account different API functions when creating access rules, to provide more fine-grained access controls, and/or to increase security in the system.  
Regarding Claim 4,
Persson as modified by Conner and Call discloses the method of claim 1, in addition, Persson discloses that the DOM API includes a base, an API of the base, and a set of arguments that is passed to the API of the base, and wherein the usage of the DOM API comprises a manipulation or an access of one or more of the following: the base, the API of the base, and the set of arguments (Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; these are well-known portions of APIs, including arguments directed to the API, the interface itself, and the resource called by the API, as examples); and
Conner also discloses that the DOM API includes a base, an API of the base, and a set of arguments that is passed to the API of the base, and wherein the usage of the DOM API comprises a manipulation or an access of one or more of the following: the base, the API of the base, and the set of arguments (Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, and 39-48).  
Regarding Claim 6,
Persson as modified by Conner and Call discloses the method of claim 1, in addition, Persson discloses intercepting of the usage of the DOM API by the one or more scripts running on the web browser and modifying the usage of the DOM API associated with the one or more scripts running on the web browser, wherein the restricting of the usage of the DOM API is based on identities of the one or more scripts (Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68); and
Conner discloses that the intercepting further comprises supplanting the DOM API by a new DOM API, wherein the new DOM API comprises a wrapper function associated with the DOM API, and wherein the restricting of the usage of the DOM API is performed by the new DOM API (Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, and 39-48; replacing DOM API with a proxy API/wrapper, for example).  
Regarding Claim 7,
Persson as modified by Conner and Call discloses the method of claim 1, in addition, Persson discloses intercepting of the usage of the DOM API by the one or more scripts running on the web browser and restricting the usage of the DOM API associated with the one or more scripts running on the web browser, wherein the modifying of the usage of the DOM API is based on identities of the one or more scripts (Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68); and
Conner discloses that intercepting further comprises supplanting a callback script associated with the DOM API by a new callback script, wherein the new callback script comprises a wrapper function associated with the callback script, and wherein restricting of the usage of the DOM API is performed by the new callback script (Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, and 39-48).  
Regarding Claim 8,
Persson as modified by Conner and Call discloses the method of claim 1, in addition, Persson discloses that restricting of the usage of the DOM API comprises one or more of the following: blocking the usage of the DOM API and triggering an alert in response to the usage of the DOM API (Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; each access request will result at least in allowing or blocking usage of the API, for example).  
Regarding Claim 9,
Persson as modified by Conner and Call discloses the method of claim 1, in addition, Persson discloses that the particular script is one of: a script associated with a web application, a third party script, and a malicious script (Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; web pages, applications, scripts, etc., as examples).  
Regarding Claim 10,
Persson as modified by Conner and Call discloses the method of claim 1, in addition, Persson discloses that JS DOM virtualization client code can be placed in a head section of a webpage file that is sent to the web browser (Abstract; Figures 3A, 5A, 7A, and 8A; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; scripts provided in head sections of web pages, including first scripts within head sections, for example); and
Conner discloses that the DOM virtualization client is injected by adding JavaScript DOM virtualization client code in a head section (Persson: Abstract; Figures 3A, 5A, 7A, and 8A; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68) of a webpage file that is sent by the edge server to the web browser (Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, and 39-48; first script corresponds to the DOM virtualization layer since it takes care of at least the interception, for example).  
Regarding Claim 21,
Persson as modified by Conner and Call discloses the method of claim 1, in addition, Persson as modified by Conner and Call discloses that the webpage file is a login page and the DOM API ACL generated by the server restricts access of different user inputs on the login page only to a web application and its associated scripts (Persson: Exemplary Citations: for example, Abstract; Figures 3A, 5A, 7A, and 8A; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; Conner: Exemplary Citations: for example, Abstract; Figures 1-2; Paragraphs 24-26, 32, 33, 39-48, and associated figures; Call: Exemplary Citations: for example, Paragraphs 31-39, 42, 44-46, 51, 56-59, 61, 77, 80-82, claims 7 and 29, and associated figures; user access is restricted for the web page and application associated therewith, where webpage is a login page in which a username and password can be input, as in Call, for example).  

Claims 2, 3, and 5 are rejected under 35 U.S.C. 103 as being unpatentable over Persson in view of Conner, Call, and Mashevsky (U.S. Patent Application Publication 2012/0174227).
Regarding Claim 2,
Persson as modified by Conner and Call discloses the method of claim 1, in addition, Persson discloses restricting of the usage of the DOM API based on the identities of the one or more scripts (Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68);
But does not explicitly disclose that restricting comprises obtaining a stack trace or call graph that traces a sequence of the one or more scripts that causes the usage of the DOM API.  
Mashevsky, however, discloses that restricting comprises obtaining a stack trace or call graph that traces a sequence of the one or more scripts that causes the usage of the DOM API (Paragraphs 53-57, 67, 88-90, and 99-100; call graphs, sequences of execution, etc., for scripts which would be the scripts using the DOM API in the combination, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before the effective filing date of the claimed invention, to incorporate the malware detection techniques of Mashevsky into the web application aggregation system of Persson as modified by Conner and Call in order to allow the system to detect malware, to check each script and call sequence for its likelihood of being malicious or benign, and/or to increase security in the system.  
Regarding Claim 3,
Persson as modified by Conner, Call, and Mashevsky discloses the method of claim 2, in addition, Persson discloses that restricting of the usage of the DOM API comprises determining that the usage of the DOM API is allowed in the event that the particular script is a subset of a whitelist of scripts (Abstract; Paragraphs 18-23, 26-29, 31-40, 48-55, 58, 60, and 64-68; checking ACL or other form of list, such as listing of resources within a given group, listing of resources that are owners, trusted resources, untrusted resources, or the like, as examples).  
Regarding Claim 5,
Persson as modified by Conner and Call does not explicitly disclose authenticating each of the one or more scripts by computing a checksum for the content of each of the one or more scripts.  
Mashevsky, however, discloses authenticating each of the one or more scripts by computing a checksum for the content of each of the one or more scripts (Paragraphs 53-57, 67, 88-90, and 99-100; hashing the script and comparing it to known good hashes, for example).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before the effective filing date of the claimed invention, to incorporate the malware detection techniques of Mashevsky into the web application aggregation system of Persson as modified by Conner and Call in order to allow the system to detect malware, to check each script and call sequence for its likelihood of being malicious or benign, and/or to increase security in the system.  

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Jeffrey D. Popham/Primary Examiner, Art Unit 2432