Perhaps that's something to put in the header. X-Hub-Url or something. Brett?
On Tue, Jan 19, 2010 at 4:27 AM, Enrico <[email protected]> wrote: > (In this message, where ever it says "google reader" it can be any > subscriber) > > Here's a scenario: > 1. I know Google Reader (for instance) has the capabilities to be a > subscriber. > 2. I use Google Reader to subscribe to a feed hosted at my server, > this feed states the hub to be my server. > 3. I get a subscription request from Google Reader, this enabling me > to discover their callback URL. > 4. I figure out the callback URL of a different atom feed people are > subscribed to that has a different hub, Then I send a POST request to > that callback with new "fake" content causing Google Reader's users to > see a fake post.. > > So yeah, If google use a custom callback url they can easily use > something like this for example: > http://reader.google.com/pushCallBack/feedid/[feed id here]/hash/[hash > key for feed here] > Then when getting a POST request they can check the hash actually > matches what they expect, and hashing can be done with a secret key or > whatever. > > Simple, Right? > However, that would totally scratch the possibility of using the > "Aggregated Content Distribution" stated in the protocol: > > http://pubsubhubbub.googlecode.com/svn/trunk/pubsubhubbub-core-0.2.html#aggregatedistribution > Which basically says "different callbacks generate different POST > requests and no aggregation" > > I'm surprised a way for a hub to identify itself to a subscriber when > POSTing new content isn't in the protocol. > Or am I missing something? > > (If there's another post dealing with this issue, I'd love to be > pointed to it, a quick search didn't help..) > > Thanks for the help :) > -- Jeff Lindsay http://webhooks.org -- Make the web more programmable http://shdh.org -- A party for hackers and thinkers http://tigdb.com -- Discover indie games http://progrium.com -- More interesting things
