Graham Parks wrote:
> After years of dealing with seriously crappy RSS feeds, aggregator
> authors are smart enough to know everything in a feed is merely a hint
> and should not be not be trusted. This attack is not worth worrying
> about, though for completeness may be worth mentioning in the security
> section.
You may be happy to have your aggregator susceptible to such
attacks; however, I can't accept having my aggregator similarly compromised.
My users expect and demand a higher level of service from PubSub than they
get from other feed providers and aggregators...
However strictly we may interpret the contents of feeds, the feed
format itself should be defined in such a manner so that an aggregator that
strictly interprets the specification will work properly when presented with
conforming feeds.
In the absence of evidence that the proposed change will result in
damage or interoperability problems, I think the spec must change. A
security note is not sufficient.
bob wyman
