Is there any way to verify that a person owns/controls a particular RSS feed?
https://stackoverflow.com/questions/5381405
-
28-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a project where I want to be able to monitor user's RSS feeds from their blogs or other content generating sources, but I need to somehow verify that they actually own the RSS feed and aren't just pointing to someone else's blog or content. Is there a way to do this on the feed itself, like a <meta> section in the feed? My other thought is to force the person to verify ownership of the domain or site that hosts the feed, instead.
Solution
The closest thing to a standard way of handling this that I know of is to use a <link> with rel="me". Google Buzz uses this approach. Basically, you have something like this in the feed:
<link rel="me" type="text/html" href="http://www.google.com/profiles/username"/>
This indicates that the feed belongs to the same person as http://www.google.com/profiles/username. You can have multiple link elements with the same rel, so you can have links to multiple user profiles (typically profiles of the same person on multiple services) on the same feed.
An alternative approach is to require that the user place a random magic token in the body of their feed. This token only needs to exist for a single fetch, so the user can remove it once your service has determined that they own the feed. I think this approach may have been used by Feedburner. The problem with this approach is that it is open to abuse by feeds of aggregate user generated content. For example, a malicious user could claim to own a comments feed or a wiki changelog feed pretty easily. Requireing that the magic token be in the feed description rather than in an item might be a way to solve this problem, though it may cause trouble for users that don't have low-level control over their feed. (eg: users of certain content management systems or blogging tools) The rel=me approach has this problem too, but at least it's standard-ish, so hopefully the creators of said CMS/blogging tools can be convinced into adding support for rel=me.
A third approach is to require that the user prove that they own the domain, as you mentioned. This has some issues, as a user may own only a directory tree on a domain or a subdomain. You don't want to assume ownership of an entire domain just because a user can edit a file on some subdirectoy or subdomain. The "directory" and host of the "proof" URL should probably be an ancestor of the feed URL. For example, if I can control example.com/foo/proof.txt that does not mean I own example.com/quux/zarf.xml. If I can control example.com/quux/proof.txt, or example.com/proof.txt that's probably good enough, though.
