Prosecution Insights
Last updated: May 04, 2026
Application No. 18/451,075

CONTENT SECURITY METHOD AND SYSTEM

Non-Final OA §103
Filed
Aug 16, 2023
Examiner
DHAKAD, RUPALI
Art Unit
2437
Tech Center
2400 — Computer Networks
Assignee
Openfin Inc.
OA Round
3 (Non-Final)
39%
Grant Probability
At Risk
3-4
OA Rounds
7m
Est. Remaining
71%
With Interview

Examiner Intelligence

Grants only 39% of cases
39%
Career Allowance Rate
13 granted / 33 resolved
-18.6% vs TC avg
Strong +31% interview lift
Without
With
+31.2%
Interview Lift
resolved cases with interview
Typical timeline
3y 4m
Avg Prosecution
40 currently pending
Career history
73
Total Applications
across all art units

Statute-Specific Performance

§101
12.7%
-27.3% vs TC avg
§103
57.0%
+17.0% vs TC avg
§102
8.9%
-31.1% vs TC avg
§112
19.6%
-20.4% vs TC avg
Black line = Tech Center average estimate • Based on career data from 33 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 1-6, 9-14, and 17-24 are currently pending. Claims 7-8 and 15-16 are cancelled. Claims 21-24 are newly added. Applicants’ argument Applicant’s arguments, see page 8-9 filed 09/08/2025 with respect to the rejection of claims 1-20 under 35 U.S.C. §101 have been fully considered, but they are found unpersuasive. On pg. 8-9, applicant argues: “As an initial matter, Applicant submits that the claims are amended herein, clarifying the claimed invention, and obviating the rejection. In particular, Applicant submits that the claims are not directed to a judicial exception (i.e., an abstract idea, as alleged by the Examiner). And even assuming arguendo that the Examiner were to find that claims are directed to an abstract idea, Applicant submits that the claimed invention (and any alleged abstract idea to which the claimed invention may be alleged to be directed) is integrated into a practical application. Furthermore, even assuming arguendo that the Examiner were to find that the claimed invention and/or the alleged abstract to which the claimed invention is directed is not integrated into a practical application, Applicant submits that the claimed invention includes elements that, when considered either alone or in combination, constitute significantly more than any alleged abstract to which the claimed invention may be directed. More particularly, Applicant submits that the claims cannot be considered abstract as directed to a mental process. For instance, at least detecting, by a processing device included in the computing device and executing the first content security policy and the second content security policy, a data transmission to or from the internet browser application that violates a first policy provision of the first content security policy without violating a provision of the second content security policy, and blocking, by the processing device, the data transmission cannot be considered mental processes because the steps are not practically performed in the human mind. This is because the human mind is not equipped to perform a claim to detecting suspicious activity in computer communications. See e.g., MPEP §2106.04(a)(2)(III)(A) (citing SRIInt'l, Inc. v. Cisco Systems, Inc., 930 F.3d 1295, 1304 (Fed. Cir. 2019)). However, assuming arguendo, the claims do recite a judicial exception (e.g., a mental process) that can be practically performed in the human mind, Applicant submits that the claims integrate any alleged abstract idea into a practical application that improves the functioning of a computer, such as by enabling a content security policy that is controlled by a desktop manager that is separate and distinct from a consent security policy sent by a web app server. See e.g., Specification, paragraph [0012]. Further, the broadest reasonable interpretation of the claim must be limited to computer implementation because, as discussed above, the entire claim scope cannot be performed mentally. Accordingly, Applicant respectfully submits that that the claims integrate any alleged abstract idea into a practical application that improves the functioning of a computer See MPEP § 2106.05(a)(I). Accordingly, reconsideration and withdrawal of the 35 U.S.C. §101 is respectfully requested. ” Examiner respectfully disagrees. The claims as amended are still directed to an abstract idea under Step 2A, Prong One because they recite, at a high level, identifying policies, evaluating data transmissions against policy provisions, and blocking transmissions that do not comply, which is a form of rule-based evaluation and control of information that falls within the mental process grouping of abstract ideas when implemented on generic computer components. The recitation of a “processing device included in the computing device and executing the first content security policy and the second content security policy” and of a data transmission that violates a first policy provision of one policy but not the other does not add any specific technical mechanism or unconventional computer operation but merely describes what is being evaluated and the result of that evaluation in functional terms.​ Applicant’s reliance on SRI Int’l v. Cisco is unpersuasive because the claims there were directed to a specific network monitoring architecture that improved network security technology itself, whereas the instant claims recite only generic components such as a browser, servers including a desktop manager server, and a processing device performing conventional functions of receiving policy data, applying the data as rules, and allowing or blocking network traffic based on those rules. Under their broadest reasonable interpretation, the claimed steps still cover mental process type activities of observing data transmissions, comparing them to policy conditions, and deciding whether to block them, but for the recited use of generic computer components to carry out those steps.​ Examiner further disagrees with applicant’s contention that the claims integrate any alleged abstract idea into a practical application that improves the functioning of the computer. The fact that one content security policy is “controlled by a desktop manager” and is “separate and distinct” from a second policy sent by a web application server merely describes an administrative arrangement of where policies originate and who manages them, and the claims do not recite any particular improvement in how the browser, processing device, or network operates at a technical level. The “overlay” of a desktop manager policy on a web app policy is claimed only as a conceptual combination of rule sets without reciting a specific non-conventional data structure, protocol, or processing technique that changes the way the computer functions, and therefore does not amount to a technological improvement within the meaning of MPEP 2106.05(a).​ Examiner also does not agree that the broadest reasonable interpretation of the claims “must be limited to computer implementation” in a manner that would avoid a finding of a judicial exception. Eligibility analysis does not end merely because a claim recites a computer or because the entire scope cannot literally be performed in a human brain. Where, as here, the computer is recited in generic terms and is used only to perform the abstract evaluation and blocking functions in a conventional manner, the claim is still directed to the abstract idea itself under Step 2A.​ Finally, even if the claims are viewed as reciting a judicial exception that is not integrated into a practical application, the additional limitations do not amount to significantly more under Step 2B. The recited components such as the computing device, first and second servers, desktop manager, internet browser application, processing device, and memory are all generic computer and network elements performing routine functions of storing, transmitting, applying, and enforcing policies on network traffic as described in the specification, and there is no indication in the claims of an unconventional arrangement or operation of these components that would provide an inventive concept. Accordingly, the rejection under 35 U.S.C. 101 is maintained. Applicant’s arguments, see pg. 9-11 of the remarks, filed 09/08/2025, with respect to the rejection(s) of claim(s) 1-20 under 35 U.S.C. § 102/103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of newly found prior art. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1- 20, 21 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Somé et al. (Strengthening Content Security Policy via Monitoring and URL Parameters Filtering, November 9, 2020, Virtual Event, USA), (hereinafter Somé), and further in view of Yawalkar et al. (U. S Pat. No. 11,997,118 B1) (hereinafter “Yawalkar”) Regarding claims 1, 9 and 17, Somé teaches [a] method of content security (Somé is titled “Strengthening Content Security Policy via Monitoring and URL Parameters Filtering” and describes techniques to strengthen CSP‑based security for web applications, which corresponds to a method of content security.): applying the first content security policy to an internet browser application operated by the computing device (Somé teaches deploying a CSP in enforcement (whitelisting) mode at the browser for a web application, where the browser enforces that CSP on content loaded in the page (p.2, col.2). This teaches applying a content security policy to an internet browser application operated by a computing device.); applying the second content security policy to the internet browser application (Somé further teaches that, in addition to the browser-enforced CSP, a second policy in blacklisting mode is enforced by a service worker monitor on requests initiated by the browser for the same application (p.2, col.2). Thus, a second content security policy is applied to the internet browser application.); detecting, by a processing device included in the computer device and executing the content security policy and second content security policy, a data transmission to or from the internet browser application that violates a first policy provision of the first content security policy without violating a provision of the second content policy (Somé describes that when the browser initiates a request (data transmission), the browser first enforces its CSP in whitelisting mode, and then the request is sent to the service worker, which checks the URL against the blacklisting policy (p.2, col.2). Somé explains that a URL may be allowed by the browser’s CSP yet blocked by the blacklisting policy enforced by the service worker, i.e., the request violates the blacklisting policy while not violating the CSP. This corresponds to a processing device executing two policies and detecting a data transmission that violates a first policy provision of a first content security policy without violating a provision of a second content security policy.); and blocking, by the processing device, the data transmission (Somé teaches that if the URL matches the blacklisting policy (either because it is blacklisted content or carries unsafe parameters), “then the request is blocked” (p.2, col.2). This corresponds to blocking, by the processing device, the data transmission.). Somé teaches does not explicitly disclose: identifying, at a computing device, a first content security policy transferred from a first server comprising a desktop manager, wherein the first content security policy is managed by the desktop manager; and identifying, at the computing device, a second content security policy downloaded from a second server comprising a web application, wherein the first server is separate from the second server and the second content security policy is managed by the second server. However, in an analogous art, Yawalkar teach: identifying, at a computing device, a first content security policy transferred from a first server comprising a desktop manager, wherein the first content security policy is managed by the desktop manager (Yawalkar teaches a server 102 that functions as a web server including processors, memory, storage, and networking components, hosting web content and interacting with a browser (Col. 6, ll. 36–48). In a system where such a server provides policy information to a browser or client, a computing device that receives a content security policy from that first server must recognize and handle that policy as associated with that server. This corresponds to identifying, at a computing device, a first content security policy transferred from a first server. The content of the CSP is under the control of the server that generates and provides it, which aligns with the notion that the first content security policy is managed by the first server.), identifying, at the computing device, a second content security policy downloaded from a second server comprising a web application, wherein the first server is separate from the second server and the second content security policy is managed by the second server (Yawalkar teaches a second server 202 that generates security policies, including CSPs, for requested web applications and provides those policies to a browser in HTTP response headers, where the browser then enforces the policies for each web application (Col. 15, ll. 32–38; Col. 15, ll. 62–67 – Col. 16, ll. 1–4). Server 202 hosts and delivers web applications 322(1)–322(3) to the browser (Col. 15, ll. 20–31). Yawalkar also teaches that server 102 is a separate web server distinct from server 202 (Col. 6, ll. 36–48). Thus, Yawalkar teaches a second content security policy downloaded from a second server comprising a web application, where that policy is defined and managed by that second server and the second server is separate from a first server in the system. A computing device receiving and enforcing such CSPs from the web-application server necessarily identifies the CSP associated with that second server.). It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify the method of Somé in view of Yawalkar. Somé already uses two cooperating policies (a browser-enforced CSP and a monitor-enforced blacklisting policy) applied to a browser to evaluate and block web requests, while Yawalkar teaches that CSPs can be defined and managed at servers, including a web-application server that generates CSPs for specific web applications and provides them to a browser. A person of ordinary skill in the art would have been motivated to have the desktop-side monitor policy of Somé provided and managed by a first server acting as a desktop manager, and to have the browser CSP provided and managed by a separate web-application server as in Yawalkar, so that enterprise administrators can enforce a desktop-side policy independently of and in addition to a web-application-defined CSP. In doing so, the computing device would necessarily identify the first content security policy transferred from the desktop-manager server and the second content security policy downloaded from the web-application server when applying them to the browser, as recited in claim 1, in order to strengthen protection against XSS and related attacks using multiple cooperating CSPs defined at different control points. Regarding Claim 21, Somé in view of Yawalkar teaches: The method of claim 1 (see rejection of claim 1 above), wherein the data transmission blocked by the processing device is between the internet browser application and the web application of the second server (Yawalkar: [Col 7, lines 41-46], Browser 104 implements the security policy 126 defined for web application 122, executing in browser 104, by adhering to the instructions included in the HTTP response header (e.g., not allowing restricted resources to load in browser 104 for web application 122, etc.)). It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Somé’s method of detecting security policy violation blocking data transmission by applying Yawalkar’s method of not allowing restricted resources to load in browser, in order to detect and mitigate XSS attacks and preventing from such attacks (Yawalkar: [Col 2, lines 18-21]). Regarding Claim 23, Somé in view of Yawalkar teaches: The system of claim 9 (see rejection of claim 9 above), wherein the data transmission that is blocked is between the internet browser application and the web application of the second server (Yawalkar: [Col 7, lines 41-46], Browser 104 implements the security policy 126 defined for web application 122, executing in browser 104, by adhering to the instructions included in the HTTP response header (e.g., not allowing restricted resources to load in browser 104 for web application 122, etc.)). It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Somé’s method of detecting security policy violation blocking data transmission by applying Yawalkar’s method of not allowing restricted resources to load in browser, in order to detect and mitigate XSS attacks and preventing from such attacks (Yawalkar: [Col 2, lines 18-21]) Regarding claims 2, 10 an12d the first limitation of 18, Somé in view of Yawalkar teaches all of the limitations of claims 1, 9 and 17, respectively, as shown above. Somé further teaches further comprising transmitting an alert to the first server that the data transmission was blocked (p.5 col2, While the CSP in blacklisting mode selectively prevents http://jsonp.com/script.js?callback=eval to load, it will however not prevent http://jsonp.com/script.js?callback=alert from loading, p.7, col2, alerts; p.8 col2, Requests that are blocked (because they are blacklisted content or because of their unsafe parameters) are also logged). Regarding claims 3, 11 and 19, Somé in view of Yawalkar teaches all of the limitations of claims 1, 9 and 17, respectively, as shown above. Somé further teaches further comprising: detecting, by the processing device, a data download request to the internet browser application that violates a second policy provision of the first content security policy, wherein the data download request is received from a web application server in communication with the internet browser application (p2 col2, deploy a service worker with an example web application, which deploys a CSP in enforcement mode and another policy in blacklisting mode to complement the policy in enforcement mode. The CSP in blacklisting mode is enforced by the monitor, and the CSP in whitelisting mode is enforced by the browser. Once the URL of a content matches a policy, the browser makes a request to fetch [download] its content. Then, the request is sent to the service worker, which further checks its URL against the blacklisting policy. If the URL matches the blacklisting policy (either because it is a blacklisted content or carries untrusted arguments), then the request is blocked, otherwise it is effectively made); blocking, by the processing device, the data download request (p.2 col2, then the request is blocked); and transmitting an alert to the first server that the data download request was blocked (p.5 col2, While the CSP in blacklisting mode selectively prevents http://jsonp.com/script.js?callback=eval to load, it will however not prevent http://jsonp.com/script.js?callback=alert from loading, p.7, col2, alerts; p.8 col2, Requests that are blocked (because they are blacklisted content or because of their unsafe parameters) are also logged). Regarding claims 4, 12 and 20, Somé in view of Yawalkar teaches all of the limitations of claims 3, 11 and 19, respectively, as shown above. Somé further teaches wherein the first content security policy includes one or more policy provisions to block: data transmissions or connections from the internet browser application to a predefined computing device; or data download requests to the internet browser application, the data download requests including requests for downloading one or more predefined types of data (p.8 col1, service workers listen for fetch events, which are triggered each time that a request is initiated by the browser to load content in the application. Note that those requests are done after the browser enforces the CSP of the application on the URL of the content to load. The request object of the event contains all the information necessary to make the request (URL of the request, type of content being loaded, the specific page from which the request is being made, data sent along the request in case of HTTP POST requests, ...) [12]. As shown in Listing 16, url represents the URL of a request intercepted by the service worker, content_type the type of content that the URL will load (script, image, ...) 5, and page, the specific page of the application from which the request is being made. This helps for instance, to deploy a single service worker for an entire application made of multiple pages). Regarding claims 5, 13 and the second limitation of 18, Somé in view of Yawalkar in view of teaches all of the limitations of claims 1, 9 and 17, respectively, as shown above. Somé further teaches wherein the first content security policy includes one or more application-layer policy provisions that block one or more types of data connections (p.1 col2, Content Security Policy (CSP) is a defense-in-depth mechanism that has been introduced to mitigate the impact of content injection and data exfiltration attacks in web applications [36]. In particular, CSP can be used to mitigate Cross-Site Scripting (XSS), one of the most prevalent attacks in the web [4]. CSP is well supported by browsers, and its adoption by web applications is increasingly growing [14, 27, 29, 32, 34]. CSP is mostly an origin-based whitelisting mechanism 1, the set of origins of content allowed to load in a webpage are declared in the policy. Upon enforcement, browsers allow only content from the whitelisted origins, thereby blocking content not matching the policy. There are 2 main components provided by the specification for declaring policies: directives and directive values. Each directive is linked to a specific type of content (scripts, images, stylesheets, plugins, etc.), and directive values are the trusted origins from which the specific type of content are allowed to load). Regarding claims 6 and 14, Somé in view of Yawalkar teaches all of the limitations of claims 5 and 13, respectively, as shown above. Somé further teaches wherein the one or more types of data connections include at least one of: a web services or web application connection (p.3 col1, [t]here are 2 main components in CSP for declaring policies. Directives target a specific type of content (scripts, images, plugins, etc.) (See Table 1), and directive values are the trusted origins from which content can be loaded. This includes origins (i.e. trusted.com, *.trusted.com), schemes (i.e. https:, data:), keywords (i.e. ’self’, ’unsafe-inline’, ’strict-dynamic’), nonces and hashes [35, 36]); a web socket connection; or a web real-time communication (RTC) connection. Claim(s) 22 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Somé et al. (Strengthening Content Security Policy via Monitoring and URL Parameters Filtering, November 9, 2020, Virtual Event, USA), (hereinafter Somé) in view of Yawalkar et al. (U. S Pat. No. 11,997,118 B1) (hereinafter “Yawalkar”); and in further view of Kraemer et al. (U. S. Pat. No. 7,516,476 B1) Regarding Claim 22, Somé in view of Yawalkar teaches: The method of claim 1 (see rejection of claim 1 above), Somé in view of Yawalkar does not explicitly disclose: wherein the first content security policy is transferred from the first server to the computing device via a local area network and the second content security policy is downloaded from the second server via the internet. However, in an analogous art, Kraemer teaches: wherein the first content security policy is transferred from the first server to the computing device via a local area network (Kraemer: [Col 11, lines 9-12], (47) Upon the completion of security policy development, the policy may be transferred to individual workstations 335A-C. This may be accomplished in numerous ways) and the second content security policy is downloaded from the second server via the internet (Kraemer: [Col 11, lines 12-17], the server 330 may transmit the policy to individual workstations, the workstations could be alerted that a new policy is available whereupon they would initiate a download of the new policy (=updated policy = second content policy), or other techniques could be employed. The updated policy (= second content policy) is employed to regulate the application's requests to access system resources). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Somé in view of Yawalkar by applying the well-known technique as disclosed by Kraemer of downloading updated (=new) security policy. The motivation is to formulating a security policy that prevents actions that should be prevented, and allows actions that should be allowed, is a challenging exercise that must be repeated each time an application is installed or upgraded (Kraemer: [Col 2, lines 4-7]). Regarding Claim 24, Somé in view of Yawalkar teaches: The system of claim 9 (see rejection of claim 9 above), Somé in view of Yawalkar does not explicitly disclose: wherein the first content security policy is transferred from the first server to the computing device via a local area network and the second content security policy is downloaded from the second server via the internet. However, in an analogous art, Kraemer teaches: wherein the first content security policy is transferred from the first server to the computing device via a local area network (Kraemer: [Col 11, lines 9-12], (47) Upon the completion of security policy development, the policy may be transferred to individual workstations 335A-C. This may be accomplished in numerous ways) and the second content security policy is downloaded from the second server via the internet (Kraemer: [Col 11, lines 12-17], the server 330 may transmit the policy to individual workstations, the workstations could be alerted that a new policy is available whereupon they would initiate a download of the new policy (=updated policy = second content policy), or other techniques could be employed. The updated policy (= second content policy) is employed to regulate the application's requests to access system resources). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Somé in view of Yawalkar by applying the well-known technique as disclosed by Kraemer of downloading updated (=new) security policy. The motivation is to formulating a security policy that prevents actions that should be prevented, and allows actions that should be allowed, is a challenging exercise that must be repeated each time an application is installed or upgraded (Kraemer: [Col 2, lines 4-7]). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art. KIPP et al. (U. S. PGPub. No. 2021/0014273 A1): Methods and apparatuses for automatic determination of a content security policy for a network resource are described. A proxy server receives from a first authenticated client device a first request for a first network resource, retrieves the first network resource and transmits a first response to the first client device that includes a content tracker that causes the client device to report information on additional network resources identified when the first client device interprets the first network resource. A content security policy is determined based on the reported information. The proxy server receives, from a second client device, a second request for the first network resource. The proxy server transmits, to the second client device, a second response that includes the content security policy that is determined based on the information on the additional network resources. Erickson et al. (U. S. PGPub. No. 2020/0358822 A1): An authentication system handles authentication requests to apply introspection and policy enforcement. A policy server obtains a client security policy and an authenticator security policy. The policy server obtains an encrypted credential request with client metadata from a client and determines whether the client metadata satisfies the client security policy. The policy server provides the encrypted credential request to an authenticator device and obtains an encrypted credential response with authenticator metadata in response. The policy server determines whether the authenticator metadata satisfies the authenticator security policy. The policy server processes the encrypted credential response, without decrypting the encrypted credential request or the encrypted credential response, based on a determination of whether the client metadata satisfies the client security policy and the authenticator metadata satisfies the authenticator security policy. Brandel et al. (U. S. 2022/0263828 A1): Systems and methods for monitoring webpage traffic. A web server can generate a JavaScript wrapper and wrap requested webpage code in the JavaScript wrapper. A client device in communication with the web server can receive a user request to load a webpage in a web browser, receive, from the web server, webpage code for the requested webpage that is wrapped in the JavaScript wrapper and includes an allowlist of allowed domains, execute the wrapped webpage code in the web browser, receive a domain request, identify the requested domain from the allowlist, execute the request if the domain is in the allowlist, and transmit, to the web server, run-time information associated with the domain request. The web server can determine, based on the run-time information, a frequency that the domain request was made, add the requested domain to a proposed allowlist, and generate a proposed modification to the JavaScript wrapper. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to RUPALI DHAKAD whose telephone number is (571)270-3743. The examiner can normally be reached M-F 8:30-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at 5712705143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /R.D./Examiner, Art Unit 2437 /ALEXANDER LAGOR/Supervisory Patent Examiner, Art Unit 2437
Read full office action

Prosecution Timeline

Show 1 earlier event
Jun 03, 2025
Non-Final Rejection — §103
Sep 08, 2025
Response Filed
Jan 05, 2026
Final Rejection — §103
Feb 09, 2026
Interview Requested
Mar 04, 2026
Examiner Interview Summary
Mar 04, 2026
Applicant Interview (Telephonic)
Mar 13, 2026
Response after Non-Final Action
Apr 24, 2026
Non-Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12592937
Method For Protection From Cyber Attacks To A Vehicle, And Corresponding Device
3y 10m to grant Granted Mar 31, 2026
Patent 12587544
METHOD AND SYSTEM TO REMEDIATE A SECURITY ISSUE
4y 5m to grant Granted Mar 24, 2026
Patent 12513154
BLOCKCHAIN-BASED DATA DETECTION METHOD, APPARATUS, AND COMPUTER-READABLE STORAGE MEDIUM
3y 7m to grant Granted Dec 30, 2025
Patent 12495039
INTEGRATED AUTHENTICATION SYSTEM AND METHOD
3y 2m to grant Granted Dec 09, 2025
Patent 12468826
METHOD FOR OPERATING A PRINTING SYSTEM
3y 5m to grant Granted Nov 11, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
39%
Grant Probability
71%
With Interview (+31.2%)
3y 4m (~7m remaining)
Median Time to Grant
High
PTA Risk
Based on 33 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month