Phil Ringnalda: However, the <channel> <link>
element is not at all required to be the base URL for relative
links.
Phil is right. The
specs are
silent on this. In fact,
manypeople
believe that relative links should be resolved relative to the feed
itself, not the <channel><link> element's
value.
Spec issues aside, the hope that aggregators can correct ill
formed and encoded HTML for you is beyond the reach of most do it
yourself'ers, and even many companies. I hold the hope that
the situation would improve if people started placing their content
in their feeds in ways that are
demonstrably
well formed and easier to parse, but then again, I'm being too
optimistic.
Sadly, in spring of 2003, the
best
practice is still to avoid relative URLs in RSS feeds.
It's time for the RSS 2.0 spec to be updated to reflect the reality of relative URLs, with recommendations for how RSS readers should treat them.
One additional problem with absolute URLs that I haven't seen mentioned: HTTP authentication. You have a feed protected like so: http://user:mypass@server.com/index.xml. Now you want to include an img tag in the description. With an absolute URL for the src value, it's not possible, because the correct username and password could change for every user. By allowing relative URLs, the RSS reader could keep the username and send it with subsequent requests off of that feed.
Authentication is an entirely out-of-band issue. The HTTP client and HTTP server need to work out some authentication protocol for requests; it has nothing to do with the RSS feed itself (or any other HTTP resource, for that matter -- do you embed user passwords in [A] links in your web pages? or just rely on the server to authenticate once and then do the right thing afterwards?)
I believe NewsGator 1.1 can retrieve password-protected RSS feeds.
Mark's got it right. Also, the URL style you show above (http://user:mypass@server.com/index.xml) is purely a browser convenience; the browser takes what you type, strips off the credentials, tries the request, and then does whatever is necessary based on the 401 challenge. Don't think of the credentials as part of the URI - they're not.
And Mark's also correct about NG 1.1 - it supports feeds protected with HTTP Basic, Digest, and Integrated Windows Authentication (NTLM/Kerb).
Good points, you're right. It's up to the RSS reader to handle this, and it could do so whether the URLs were relative or not, just as a web browser does.
I'll try NewsGator to see how it handles this. NetNewsWire correctly handles password-protected RSS feeds if the username is specified in the URL, but because it just hands off the request to the OS, it doesn't have the smarts to keep the password and send it again if needed.
NewsGator will retrieve the RSS itself using the credentials. However, images within a post, and any links within the post that the user clicks on, will not use the credentials.
It'd be a little scary if it did, even within a single domain; all you would have to do is get a malicious post into a password-protected feed somehow, and you could trick the user into sending clear-text credentials to a linked site.
Greg, I don't see how that could happen without it being a bug in the app. Credentials should only be sent back to the server where the RSS feed originated from.
All I'm saying is that if an RSS feed is protected, you probably want other resources on that server protected as well. Now that it's common practice to include HTML encoded in the RSS description -- and Sam Ruby and others are experimenting with XHTML -- an RSS reader/aggregator acts more like a web browser and so should adhere to those standards (i.e. not choking when it gets a 401 not authorized).
I spent most of today knee deep in RSS, writing an aggregator for a project at work. It has been quickly becomng apparent that "Really Simple Syndication" is anything but! There are currently three major (and goodness knows how many minor) ...
Phil is right. The specs are silent on this. In fact, many people believe that relative links should be resolved relative to the feed itself, not the <channel><link> element's value. Spec issues aside, the hope that aggregators can...