A SYSTEM AND METHOD FOR REALTIME JS ACCESS CONTROL TO DOM/APIS

DETAILED ACTION This office action is in reply to applicant communication filed on December 08, 2025. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim 21 has been added. Claims 1-21 are pending. Response to Argument Applicant’s arguments filed on December 08, 2025 with respect to the 35 USC 102/103 rejections of independent claims have been fully considered but they are not persuasive. Applicant’s argues that the prior arts on record, Teo (US Pub. No. 2009/0037976), fails to teach the independent claims limitation, “….a proxy layer configured to manage interaction with the browser and secured function called by third party operation” Examiner respectfully disagrees. A review of the prior arts of the record (Teo) corresponding to the above argued claim limitation reveals that the argued limitation is disclosed by Shema’s reference as, Paragraph 26 of Teo, a secure network system 100, in accordance with an embodiment of the present invention. The secure network system 100 includes an end-user device 105, a website system 110, and a directory system 115, each coupled together via a computer network 120 such as the Internet. The end-user device 105 includes a browser 130 and a security component 135) and (paragraph 141 of Teo, transaction 900 begins with the security component 135 in step 1 being installed on the end-user device 105. The end user in step 2 surfs to a protected website 125, e.g., a bank website. The security component 135 presents a status indicator on the browser frame to indicate whether security is enabled. In one embodiment, the status indicator turns blue to indicate that the website is protected. The status indicator turns red if the website were blacklisted. The security component 135 in step 4 obtains the security policy 150 and initiates the security engine 238 after the end user logs into the website 125 and while the browser window is active. Internet lockdown engages) and (paragraph 89 of Teo, it will be appreciated that the security engine 238 may cooperate with the event handler 236, which includes a browser context monitor 264 which monitors the context of the browser session. By determining the context, the security engine 238 can determine if implicit triggers have occurred to activate/deactivate security mechanisms). Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Teo (US Pub. No. 2009/0037976). As per claim 1 Teo discloses: A system for managing script execution by a browser, the system comprising: at least one processor; a memory operatively coupled to the at least one processor; the at least one processor when executing configured to: instantiate a browser session to include a proxy layer configured to manage interaction with the browser and secured functions called by third party operations, wherein the secured functions are configured to run as part of a website's code presented in the browser; (Paragraph 26 of Teo, a secure network system 100, in accordance with an embodiment of the present invention. The secure network system 100 includes an end-user device 105, a website system 110, and a directory system 115, each coupled together via a computer network 120 such as the Internet. The end-user device 105 includes a browser 130 and a security component 135) and (paragraph 414 of Teo, transaction 900 begins with the security component 135 in step 1 being installed on the end-user device 105. The end user in step 2 surfs to a protected website 125, e.g., a bank website. The security component 135 presents a status indicator on the browser frame to indicate whether security is enabled. In one embodiment, the status indicator turns blue to indicate that the website is protected. The status indicator turns red if the website were blacklisted. The security component 135 in step 4 obtains the security policy 150 and initiates the security engine 238 after the end user logs into the website 125 and while the browser window is active. Internet lockdown engages). Monitor execution of the secured functions; (paragraph 40 of Teo, the component event logger 224 of the directory service may monitor access behavior for a variety of reasons, e.g., to identify malicious behavior, to review past behavior if later determined to be malicious, etc. The logging module 244 of the security component 244 may monitor access behavior for a variety of reasons, e.g., to identify malicious behavior, to review past behavior if later determined to be malicious, etc) and (paragraph 89 of Teo, the security engine 238 may cooperate with the event handler 236, which includes a browser context monitor 264 which monitors the context of the browser session. By determining the context, the security engine 238 can determine if implicit triggers have occurred to activate/deactivate security mechanisms). Verify valid execution of the secured functions; (paragraph85 of Teo, fhe security engine 238 verifies that the URL. is in the POST URL list and is deemed legitimate). Prevent execution of the secured functions by the browser or browser functionality responsive to failed verification; (paragraph 67 of Teo, a phishing protection mechanism warns the end user when being redirected to a blacklisted site. This alerts end users before potentially accessing a malicious site. Additionally or alternatively, the security policy 150 can block complete access to these blacklisted websites to protect its users). Permit execution of the secured functions by the browser or browser functionality responsive to verification. (Paragraph 37 of Teo, if the hostname relates to a whitelisted site, the security engine 238 initiates a secure transaction. The security engine 238 instructs the transport agent 240, which uses the tunnel device 268, to establish a site-specific anti-hijack tunnel (GRE/IPIP) to the router 145. The security engine 238 downloads the security policy 150, the authenticator 256 verifies the SSL certificate, the security engine 238 confirms that the user wishes to initiate a secure session, and (assuming confirmed) the security engine 238 instructs the TSR 266 to initiate session lockdown policies (e.g., unhooks keyloggers, applies site-specific file/program lockdown policies, activates a global anti-hijack tunnel to direct all other non protected site-specific traffic through it, etc.) according to the security policy 150. The website server 202 presents the Website). Claim 16 is rejected under the same reason set forth in rejection of claim 1. As per claim 2 Teo discloses: The system of claim 1, wherein the at least one processor is configured to instantiate a cache layer to manage resource requests made by the browser, any script executed by the browser, and any application programming interface. (Paragraph 36 of Teo, when the user requests a website, the cache engine 260 queries its cache for the hostname. If the hostname is not stored in the cache 262, the cache engine 260 queries the directory service engine 214 to resolve the requested hostname). As per claim 3 Teo discloses: The system of claim 2, wherein the at least one processor is further configured to allocate cache resources based on a mapping of the requests made by the browser, any script executed by the browser, and any application programming interface to the resources. (Paragraph 35 of Teo, the cache engine 260 of the security component 135 communicates with the security component updater 226 of the directory service 140 to update the cache 262 with blacklisted and whitelisted site updates, possibly only those updates relevant to the particular end user, thereby refreshing DNS cache entries) and (paragraph 46 of Teo, the security mechanisms can include website and Internet protection, e.g. cross site scripting protection, resource access controls (such as IP, URLs, HREFs), HTML data integrity using checksums, etc.; PG/application protection, e.g., keylogger controls, I/O access controls, browser cache access controls, etc.; and network protection, e.g., network access controls, etc). As per claim 4 Teo discloses: The system of claim 2, wherein the at least one processor is further configured to allocate the cache resources based on a mapping of the requests made by the browser and a system defined budget for the mapped resources. (Paragraph 35 of Teo, the cache engine 260 of the security component 135 communicates with the security component updater 226 of the directory service 140 to update the cache 262 with blacklisted and whitelisted site updates, possibly only those updates relevant to the particular end user, thereby refreshing DNS cache entries) and (paragraph 46 of Teo, the security mechanisms can include website and Internet protection, e.g. cross site scripting protection, resource access controls (such as IP, URLs, HREFs), HTML data integrity using checksums, etc.; PG/application protection, e.g., keylogger controls, I/O access controls, browser cache access controls, etc.; and network protection, e.g., network access controls, etc). As per claim 5 Teo discloses: The system of claim 1, wherein the at least one processor is configured to limit execution of the browser or browser functionality to the secured functions. (Paragraph 67 of Teo, a phishing protection mechanism warns the end user when being redirected to a blacklisted site. This alerts end users before potentially accessing a malicious site. Additionally or alternatively, the security policy 150 can block complete access to these blacklisted websites to protect its users). As per claim 6 Teo discloses: The system of claim 1 wherein the at least one process is configured to access policy constraints defining parameters of the valid execution. (Paragraph 28 of Teo, if the site is whitelisted, then the end-user device 105 establishes a site-specific anti-hijack GRE tunnel to the website system 110, retrieves the security policy 150 from the protected website 125, and activates lockdown policies (e.g., unhooking keyloggers, blocking file/process commands, and establishing global anti-hijack GRE tunnel) according to the security policy 150). As per claim 7 Teo discloses: The system of claim 6, wherein the parameters are defined by at least one of default constraints, user specified constraints, budgeted constraints, or certification of validity constraints. (Paragraph 28 of Teo, if the site is whitelisted, then the end-user device 105 establishes a site-specific anti-hijack GRE tunnel to the website system 110, retrieves the security policy 150 from the protected website 125, and activates lockdown policies (e.g., unhooking keyloggers, blocking file/process commands, and establishing global anti-hijack GRE tunnel) according to the security policy 150). As per claim 8 The system of claim 1, wherein the at least one processor is configured to execute inline code or script tags upon accessing a website to instantiate the proxy layer. (Paragraph 28 of Teo, the security component 135 determines whether a requested URL is associated with a blacklisted site (websites known to be malicious, e.g., phishing sites), a whitelisted site (websites providing website session security, e.g., for banks/financial institutions), or an unlisted site (e.g., a conventional site that is not a blacklisted nor a whitelisted site). If the site is blacklisted, then in one embodiment the end user device 105 first confirms that the user wishes to navigate to the site. If the site is whitelisted, then the end-user device 105 establishes a site-specific anti-hijack GRE tunnel to the website system 110, retrieves the security policy 150 from the protected website 125, and activates lockdown policies (e.g., unhooking keyloggers, blocking file/process commands, and establishing global anti-hijack GRE tunnel) according to the security policy 150). Claim 17 is rejected under the same reason set forth in rejection of claim 8. As per claim 9 Teo discloses: The system of claim 8, wherein the proxy layer includes a set of proxy objects configured to manage execution of third party function requests by the browser. (Paragraph 37 of Teo, if the hostname relates to a whitelisted site, the security engine 238 initiates a secure transaction. The security engine 238 instructs the transport agent 240, which uses the tunnel device 268, to establish a site-specific anti-hijack tunnel (GRE/IPIP) to the router 145. The security engine 238 downloads the security policy 150, the authenticator 256 verifies the SSL certificate, the security engine 238 confirms that the user wishes to initiate a secure session, and (assuming confirmed) the security engine 238 instructs the TSR 266 to initiate session lockdown policies (e.g., unhooks keyloggers, applies site-specific file/program lockdown policies, activates a global anti-hijack tunnel to direct all other non protected site-specific traffic through it, etc.) according to the security policy 150). Claim 18 is rejected under the same reason set forth in rejection of claim 9. As per claim 10 Teo discloses: The system of claim 9, wherein the third party function requests include at least one of javascript request, document object model (DOM) request, or application programming interface (API) requests. (Paragraph 45 of Teo, in one embodiment, activation and deactivation of security mechanisms during a website security session can be controlled using activation and deactivation points at different context points of the website session. Example activation and deactivations points can include session (explicit) activation points (e.g., a URL to a whitelisted domain), implicit security trigger (on/off) points (e.g., HTTP mechanisms such as HTTP POST and HTTP to HTTPS transitions, URI or domain migrations, and/or Javascript of AJAX mechanisms (e.g., a new browser window), explicit trigger (on/off) points (e.g., metatags) 210, session transition points (e.g., handover from primary to secondary session; can be recursive), session (implicit) termination points. A break from the above points may indicate the deactivation of the security session). As per claim 11 Teo discloses: The system of claim 9, wherein the at least one processor is configured to access any one or more of a default specification of the set of proxy objects, a user defined specification of the set of proxy objects, or an enhanced verification specification of the set of proxy objects. (Paragraph 49 of Teo, the security policy 150 defines "WHO" (e.g., which website servers to protect, such as main servers, alias servers, affiliate servers etc.) 304, "WHAT" (e.g., what security mechanisms to execute) 306, and "WHEN/WHERE" (e.g., when/where to activate/deactivate security mechanisms, etc.) 308). Claim 20 is rejected under the same reason set forth in rejection of claim 11. As per claim 12 Teo discloses: The system of claim 9, wherein the at least one processor is configured to trigger enhanced verification responsive to identifying unexpected operation or unexpected access. (Paragraph 84 of Teo, explicit trigger points 210 may be embedded into the individual web pages of the protected website 125. The explicit trigger points 210 may identify the protection mechanism required for a web page or portion of the web page. When the security engine 238 identifies the trigger point 210, the security engine 238 may activate the identified protection mechanism. The website owner or manager may embed the trigger points 210 with the protection rules into the web pages. Embedded trigger points 210 enables complicated security rules and different protection mechanisms over various sections of a web page). As per claim 13 Teo discloses: The system of claim 12, wherein the at least one processor is configured to access an enhanced verification specification defining at least one of additional proxy objects, updated functionality for any one or combination of respective ones of the set of proxy objects, or additional analysis of access requests. (Paragraph 63 of Teo, a cross-site scripting protection mechanism protects against cross-site scripting and code injection. By defining a list of legitimate web servers (e.g., alias and affiliate servers) during a browsing session, the security engine 238 can block or warn the user when it recognizes requests to load information from servers outside the list. Thus, cross-site scripting and code injection attempts can be detected and blocked). As per claim 14 Teo discloses: The system of claim 1, wherein the at least one processor is configured to validate a third party function based on a validity signature of the third party function. (Paragraph 37 of Teo, the security engine 238 downloads the security policy 150, the authenticator 256 verifies the SSL certificate, the security engine 238 confirms that the user wishes to initiate a secure session, and (assuming confirmed) the security engine 238 instructs the TSR 266 to initiate session lockdown policies (e.g., unhooks keyloggers, applies site-specific file/program lockdown policies, activates a global anti-hijack tunnel to direct all other non protected site-specific traffic through it, etc.) according to the security policy 150. The website server 202 presents the Website). As per claim 15 Teo discloses: The system of claim 14, wherein the at least one processor is configured to allow or deny execution of the third party function in response to validity analysis of the signature. (Paragraph 41 of Teo, the blacklist engine 228 operates to identify blacklisted sites, The blacklist engine 228 may learn of blacklisted sites from a variety of sources including front companies that monitor for malicious sites from end users who encounter phishing sites, from the security component 135 (e.g., when it recognizes a fake certificate), etc). As per claim 19 Teo discloses: The method of claim 18, wherein the third party function requests include at least one of javascript request, document object model (DOM) request, or application programming interface (API) requests, and method further comprises managing, by the at least one processor, execution of the at least one of javascript requests, document object model (DOM) request, or application programming interface (API) requests through respective poxy objects. (Paragraph 45 of Teo, in one embodiment, activation and deactivation of security mechanisms during a website security session can be controlled using activation and deactivation points at different context points of the website session. Example activation and deactivations points can include session (explicit) activation points (e.g., a URL to a whitelisted domain), implicit security trigger (on/off) points (e.g., HTTP mechanisms such as HTTP POST and HTTP to HTTPS transitions, URI or domain migrations, and/or Javascript of AJAX mechanisms (e.g., a new browser window), explicit trigger (on/off) points (e.g., metatags) 210, session transition points (e.g., handover from primary to secondary session; can be recursive), session (implicit) termination points. A break from the above points may indicate the deactivation of the security session). Allowable Subject Matter Claims 3 and 21 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Plummer (US Pub. No. 2007/0199073). Plummer’s reference discloses: A machine-executable method implementable in a system operable to execute a browser application having at least one security-context zone and operable to apply at least one security policy to interaction between the system and web sites corresponding to domain identifiers populating the at least one security-context zone includes comparing a first set of domain identifiers populating a first security-context zone of the at least one security-context zone with a second set of domain identifiers. The method further includes populating the first security-context zone with at least one second-set identifier not included in the first set of domain identifiers. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m.. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /TESHOME HAILU/Primary Examiner, Art Unit 2434