Private feeds

Twelve months ago, Stewart Butterfield posted in the Flickr forums saying:

We’re continuing to look at private feeds, but it is not easy. Surprisingly, this is not something that seems to have occured to the people who designed RSS or the people who make the readers…

I was just thinking today about a project I was working on about five years ago which supported RSS, and we had a problem with private RSS feeds, so we just didn’t provide them. In the same way, you can’t get an RSS feed for your FlickrMail today.

LiveJournal allows you to view private feeds using a URL like http://username:password@www.livejournal.com/users/username/data/rss in a similar way to FTP, so I suspect this is a alternative point of entry to a standard authentication method like HTTP Basic (but I hope I’m wrong!).

So is this a solved problem for RSS now? Do most desktop and web aggregators support HTTP authentication? Obviously this is dealt with at a more fundamental level in Atom (namely section 5: Securing Atom Documents).

Published by

6 thoughts on “Private feeds”

  1. “I suspect this is an alternative point of entry to a standard authentication method like HTTP Basic”: if you mean the //username:password@ URL scheme, it’s specified in the URL RFC (see 3.1. Common Internet Scheme Syntax). Rather wonderfully, however, the same RFC also states specifically that “no username or password is allowed for HTTP”. This was expanded on later in RFC 2396, which mentions the practice as “NOT RECOMMENDED” (see 3.2.2. Server-based Naming Authority).

    Also note RFC 3986 – 3.2.1. User Information, which refers to this as “deprecated”.

    I think Microsoft removed the username@password capability from IE a while ago, because it was mostly applied for phishing purposes eg http://www.ebay.com@192.168.0.1.

    In summary, if LJ are still using that URL, they are cutting corners, and ideally should’ve found an alternative way of dealing with this. I suspect they have, since the FAQ does not seem to mention this scheme, suggesting instead that one append ?auth=digest to the URL of the rss feed, which uses, well, HTTP Digest authentication.

    I don’t know how widely that is supported by RSS viewers though. It’s not something I’ve tried.

    Off-topic, do you realise that LJ user username does in fact exist? It appears to be full of worrying poetry. The first entry in the RSS feed begins “Laying on the beach one night/flailing my willy out of spite”.

  2. Hurray, I’m glad I was wrong. I did go through the HTTP Authentication RFC (2617) looking for it, but couldn’t find it. It didn’t occur to me to look in the URL RFC. Lucky for me you’re so dedicated 🙂

    I know I heard rumours about MS removing username@password support from IE some time ago, but until very recently that’s what some people at my last company were using for FTP access, so unless it was a fix in SP2 it still seems that this is possible (note heinous lack of research on my part, such a bad blogger :).

    I had seen LJ’s support of HTTP Digest, but not that particular FAQ page, so didn’t know if it was officially supported ot not. Nice to see that it is.

    I think most desktop-based clients are coming around to HTTP-based authentication, although I don’t instantly see support for it in Bloglines, and FeedOnFeeds definitely doesn’t support it (although Magpie which it uses at the backend may well do).

    Gosh, that poetry is actually quite frightening. I’m not sure I can cope with reading any of the others.

  3. Arg, nono.

    As specified in the URL RFC, it is perfectly accepted to have a username – password combination in an ftp:// URL.

    It’s just Naughty and Illegal for http 🙂

  4. Well, really I think that’s URL authentication and not HTTP-level.

    FeedOnFeeds doesn’t let you set a username and password to be used for any kind of actual authentication, and indeed doesn’t have anywhere where it can store such a thing. Passing a username/password combo in the URL is probably completely negates having a password-protected feed in the first place.

  5. I half take it back 🙂

    More recent versions of Snoopy do actually have support for digest authentication. I’ll have to download the latest version of FoF to see if there’s actually anything in the UI or DB to store auth data.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.