Scott Hanselman

IE7 RC1 can't update Password Protected Feeds

September 13, 2006 Comment on this post [13] Posted in ASP.NET | Programming | Tools | Web Services
Sponsored By

UPDATE: Niall Kennedy blogs about accessing private feeds, but doesn't mention that IE7 and Office 2007 doesn't support it. Dare posts about Niall's post and has an interesting comment "At the end of the day, can Bank of America trust that RSS Bandit or Bloglines is doing a good job of adequately protecting the feed from spyware or malicious hackers?"

Of course they can't, just as BofA can't control that I might use any old HTTP stack to talk to their regular website. Angle brackets over HTTP are just that. RSS just makes them more regular and a little easier to parse. I would propose within the context of banking, keying off Dare's comment, that OFX and RSS are arguably the same thing with RSS just being more presentation focused. OFX being pulled into Microsoft Money and Yodlee is no different from RSS being pulled into RSS Bandit or Bloglines.

More on this topic at this post...

This is news that I'm apparently late to the party on:

Internet Explorer is unable to update password-protected feeds.

In IE7RC1, it let me subscribe happily with a password dialog and added my feed. Only when I returned a day later did I find my stale content wasn't updating.

That's going to make things like Audible.com and other password protected feeds difficult to work with in IE7. I hope the get this handled for the release.

Does anyone else think this is a huge problem? Is this just IE7 or is this the whole RSS Platform? If it is the platform, I think this makes personalized RSS content considerably more difficult.

There's been some news on this before over at GlobeBlogger, who noted as I did with considerable shock, that Outlook 2007 isn't using the RSS Platform.

The RSS Team PM Sean Lyndersay responded here to Charlie Wood's email. He says (edited for length)

To be honest, it was simply a casualty of time/resources vs. demand. There aren't a lot of authenticated feeds out there (yet). When we looked at the cost of doing it, we decided that it was something that could wait until our next release.

Outlook 2007 doesn't use the RSS Platform for downloading feeds, but they made fundamentally the same decision as we did (weighing resources against demand), and they don't support authenticated feeds either.

In both cases (IE/RSS Platform, and Outlook 2007), we support what's called NTLM/Kerberos pass-through authentication — which means that in many corporate environments where NTLM/Kerberos authentication is used (typically with Windows domains), the credentials that the user used to log into the machine will be automatically used. This allows authenticated feeds to work in a lot of corporate environments.

Both IE/RSS Platform and Outlook 2007 do support SSL-encrypted feeds. We also have found that many people who ask for authenticated feeds really want personalized feeds (where the data is public, but the feed itself is personalized to a particular user) — in these cases, we recommend generating URLs with guids or another unique identifier for each user.

So, to summarize:

  • We don't support storing different credentials for different feeds.
  • We do support NTLM/Kerberos pass-through for using the users logged-in credentials
  • We do support SSL-encrypted feeds
  • We recommend using personalized feeds, where possible.
  • As for when we will have authenticated feed support: I don't have an answer for you on that. We haven't announced a date for our next release.

Hope this is helpful.

Sean

With all due respect to Sean and his team, I hope that they hear our concern about this huge omission and realize that truly authenticated feeds will allow RSS to realize it's full potential.

Dare Obasanjo realizes how HUGE this could be and what a HUGE GOOF it is to not include support out of the gate. Authenticated feeds could change the game entirely (emphasis mine):

No support for password protected feeds. The number of password protected feeds on the Web continues to grow, Web sites such as GMail and LiveJournal provide authenticated feeds for users today. As the usage of syndication technologies like RSS continues to grow, the need to support authentication by feed readers will also grow as well. I can imagine a day when I can subscribe to a password protected feed from my bank or credit card company. Not having support for this today is a non-starter.

Please, discuss, I'm interested in your thoughts, dear reader. If you agree that this is important for the future of the spec and the continued usefulness of Feed technology, do put pressure on them.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Hosting By
Hosted in an Azure App Service
September 14, 2006 9:32
Well, that makes it useless for me. I have a few password protected feeds and if they won't work in IE7, I'm not switchin'. Firefox + Sage does me just fine.
September 14, 2006 11:34
I'm absolutely with you Scott (and Dare). Password-protected feeds will revolutionise the delivery of confidential information over the internet.

I think this is a short-sighted ommission by the teams, and I sincerely hope that they correct it as soon as possible. The RSS platform built into/under IE7 (and the one in OL2007) will be the single most important driver of the adoption of RSS feeds by non-technical people in the next few years. The RSS platform MS is delivering is good, but it *has* to be the out-and-out leader in it's field as it will be used by the most people. Are you hearing us, Microsoft?
September 14, 2006 16:01
What you could do is build a simple feed proxy running on localhost, which does the authenticating for you and dishes out the results only to you using NTLM/Kerb. Probably not too hard to write, but not exactly general purpose for the public at large....

Kirk
September 14, 2006 17:55
If Microsoft would listen to anything (they won't, of course, but IF they would), it would be business scenarios. In my case, there are an increasing number of company-internal RSS feeds that use basic authentication (not NTLM) because they cross platforms or cross the Internet - things like bug-tracking and specialized wiki updates and source code repository notifications. Not having the ability to hook into any of these things makes OL2007 RSS and the platform RSS complete non-starters for me.
September 14, 2006 20:06
I haven't really used used authenticated feeds yet, but I agree this seems like major feature is missing there. But then again, if the IE7 RSS support is as unreliable as the Outlook 2007 one, it's pretty much useless already, so why bother?
September 15, 2006 6:40
So MS doesn't have time/resources to add RSS support to Outlook, but they do have the time/resources to create their own reader/preferred feeds/etc that does not use the IE7 RSS features? There was a dotnetrocks episode a few weeks ago where someone from MS announced this big ambitious new thing (can't remember the name, because I thought the idea was a bit redundant and silly).

My biggest wish for MS is that they would do what they do best and stop trying to reinvent everything somebody else writes.
September 15, 2006 6:41
Had to look up the info...its called Information Center
http://www.dotnetrocks.com/default.aspx?showID=189
September 15, 2006 18:15
"My biggest wish for MS is that they would do what they do best and stop trying to reinvent everything somebody else writes."

Uhm, isn't reinventing everything pretty much all they do? Don't get me wrong, I'm a pretty big MS fan, but all of their biggest successes are re-implementations of an existing product. 9 times out of 10, their versions are better, mostly because they can see the existing implementation's problems.
September 15, 2006 23:04
I'm really disappointed with this too. RSS feeds stand to really benefit the business world, but have to be secure to do so. As a real-life example, consider ELMAH, which (among other things) provides RSS feeds of errors that occur on an app. It's very cool to be able to subscribe to these, but obviously a security risk if it's not password protected. With another HttpModule by the same author, it's possible to add Basic or Digest authentication.

As far as resources go, this seems like something that should be fairly easy to implement, especially if you stick with the handful of authentication standards...

I will point out that, AFAIK Firefox 'Live Bookmarks' don't support this either.
September 15, 2006 23:29
It's also worth pointing out that the last suggestion- providing personalized feeds using a GUID or other ID can be a security hole, and similar to what recently got FaceBook in a lot of trouble over their unprotected feeds.
September 16, 2006 21:03
Agreed, this must be fixed. However I've given up on IE7 and Outlook 2007 for RSS and using FeedDemon (even though I'm really having difficulty coming to grasps with paying for an RSS reader, still it's good software).

Even with the technical refresh, not only can't I subscribe to password protected feeds, I find my feeds don't update correctly. I've tested it with various blog/rss providers thinking maybe it's a problem just with Blogger or something but I get mixed results. Sometimes the feeds update correctly, other times I'll stumble across another blog that talks about a blog that I should have got an udpate from. Sigh. So FeedDemon it is for now, until I can find a better reader or the RSS in Outlook is fixed.

Then again, maybe it's just me ;)
September 17, 2006 6:36
Hey, come again Sean? It'd be honestly okay to have a personalized URL, but how would that solve anything if that personalized feed needed be password protected.
September 18, 2006 12:45
BTW: IE7 does not support RSS files with DTD reference in it neither...
Don't know if they even parse this DTD part, I guess it's just legacy for referencing the old RSS versions...

Check www.spiegel.de (German news site) and try to add the feed. Poor thing for sure!

Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.