It’s just data

Again with the relative URLs

Phil Ringnalda: However, the <channel> <link> element is not at all required to be the base URL for relative links.

Phil is right.  The specs are silent on this.  In fact, many people believe that relative links should be resolved relative to the feed itself, not the <channel><link> element's value. 

Spec issues aside, the hope that aggregators can correct ill formed and encoded HTML for you is beyond the reach of most do it yourself'ers, and even many companies.  I hold the hope that the situation would improve if people started placing their content in their feeds in ways that are demonstrably well formed and easier to parse, but then again, I'm being too optimistic.

Sadly, in spring of 2003,  the best practice is still to avoid relative URLs in RSS feeds.

It's time for the RSS 2.0 spec to be updated to reflect the reality of relative URLs, with recommendations for how RSS readers should treat them.

One additional problem with absolute URLs that I haven't seen mentioned: HTTP authentication. You have a feed protected like so: Now you want to include an img tag in the description. With an absolute URL for the src value, it's not possible, because the correct username and password could change for every user. By allowing relative URLs, the RSS reader could keep the username and send it with subsequent requests off of that feed.

Posted by Manton Reece at

Authentication is an entirely out-of-band issue.  The HTTP client and HTTP server need to work out some authentication protocol for requests; it has nothing to do with the RSS feed itself (or any other HTTP resource, for that matter -- do you embed user passwords in [A] links in your web pages? or just rely on the server to authenticate once and then do the right thing afterwards?)

I believe NewsGator 1.1 can retrieve password-protected RSS feeds.

Posted by Mark at

Mark's got it right.  Also, the URL style you show above ( is purely a browser convenience; the browser takes what you type, strips off the credentials, tries the request, and then does whatever is necessary based on the 401 challenge.  Don't think of the credentials as part of the URI - they're not.

And Mark's also correct about NG 1.1 - it supports feeds protected with HTTP Basic, Digest, and Integrated Windows Authentication (NTLM/Kerb).

Posted by Greg Reinacker at

Good points, you're right. It's up to the RSS reader to handle this, and it could do so whether the URLs were relative or not, just as a web browser does.

I'll try NewsGator to see how it handles this. NetNewsWire correctly handles password-protected RSS feeds if the username is specified in the URL, but because it just hands off the request to the OS, it doesn't have the smarts to keep the password and send it again if needed.

Posted by Manton Reece at

NewsGator will retrieve the RSS itself using the credentials.  However, images within a post, and any links within the post that the user clicks on, will not use the credentials.

It'd be a little scary if it did, even within a single domain; all you would have to do is get a malicious post into a password-protected feed somehow, and you could trick the user into sending clear-text credentials to a linked site.

Posted by Greg Reinacker at

Greg, I don't see how that could happen without it being a bug in the app. Credentials should only be sent back to the server where the RSS feed originated from.

All I'm saying is that if an RSS feed is protected, you probably want other resources on that server protected as well. Now that it's common practice to include HTML encoded in the RSS description -- and Sam Ruby and others are experimenting with XHTML -- an RSS reader/aggregator acts more like a web browser and so should adhere to those standards (i.e. not choking when it gets a 401 not authorized).

Posted by Manton Reece at

I spent most of today knee deep in RSS, writing an aggregator for a project at work. It has been quickly becomng apparent that "Really Simple Syndication" is anything but! There are currently three major (and goodness knows how many minor) ...

Pingback from Simon Willison: Archive for 4th April 2003


Its all relative

Fixed a couple of relative links in my RSS feed. Grrhhh, its annoying that its still best practice to avoid relative links....

Excerpt from Simon Fell at

We have been successfully offering Passworded RSS feeds on since early 2003.
Try it out yourself:

Posted by MCP at

Phil is right. The specs are silent on this. In fact, many people believe that relative links should be resolved relative to the feed itself, not the <channel><link> element's value. Spec issues aside, the hope that aggregators can...

Excerpt from phil ringnalda dot com: Again with the relative URLs: Comments at

I think that you need to follow this blog article for some tips on how to write an amazing philosophy degree. Make sure to do it as soon as possible

Posted by Lisa Abrams at

Add your comment