On the IE blog, Eric Lawrence presented the User-Agent string for the beta version of Internet Explorer 8 which will be available later this year. The RSS Platform will also introduce an updated User-Agent string for use with the IE8 beta. For details on the RSS Platform User-Agent string in IE7 please take a look at my past blog post.

The change is a simple increment of the version number to "2.0" as in

Windows-RSS-Platform/2.0 (MSIE 8.0; Windows NT 6.0)

And as before, note that there are two cases to keep in mind:

1. The user is not subscribed to the feed. The user navigates to a feed and IE presents a preview of the content.
2. The user is subscribed to the feed. The RSS Platform retrieves the feed content on a schedule (or on demand).

In the first case, the request is made by IE and hence the IE User-Agent string is used.

In the second case, the RSS Platform User-Agent string is used.

- Walter vonKoch
Program Manager

A couple weeks ago, Chris Jones (VP on the Windows Live team) announced the new Windows Live suite. Included in this suite are two things of potential interest to readers of this blog:

First, the beta release of Windows Live Mail -- a desktop email client like Outlook Express or Windows Mail for Vista. What makes it even more interesting is that includes support for reading RSS feeds (based on the Windows RSS Platform -- so anything you subscribed to using IE7 is automatically available in Windows Live Mail).

Windows Live Mail is great for those who like their feeds in a mail-like "three-pane" view. Brandon LeBlanc wrote about using Windows Live Mail as an RSS reader not too long ago on the Windows Experience blog. Read more about the beta release on the Windows Live Mail team blog.

Second, the suite includes an update to Windows Live Writer - a fantastic blogging tool (that I've written about before) with support for dozens of blogging services. Read about Writer on the team's blog.

So, lots of good stuff happening on the RSS and blogging front over in Windows Live-land. Keep an eye on the Windows Live Wire blog for updates.

- Sean

You’ve probably seen the postings in the past on this blog about the Simple Sharing Extensions (SSE) for RSS. SSE was originally introduced by Ray Ozzie on his blog as a way to enable syncing items between different points on the web. We’ve recently updated the spec to support Atom feeds as well.

I posted the latest Simple Sharing Extensions spec to MSDN last month, at http://msdn.microsoft.com/xml/rss/sse. I’ve received a bunch of great comments and suggestions on the spec, and I’m in the process of incorporating those into a new draft. I’ll be sending out the proposed updates to the FEED-TECH list over the next few days. You can see the first change set here. I’ll also be discussing these changes on my personal blog at http://blogs.msdn.com/stevenlees.

It would be great to hear people’s thoughts about the spec and the updates. The best way to respond is to join the FEED-TECH list and post your comments there. Thanks!

--Steven

One of the great things about RSS is that it's being used all over the world in countless ways. Millions of sites publish RSS feeds and hundreds of products consume those same feeds. The downside of this popularity, however, is that with that many implementations, there's bound to be some variance in how and when sites implement the specification. This can make it tricky for publishers and consumers to figure out how to implement some of the less-frequently-used features of the specification.

For the past few years, the RSS Advisory Board and the many hard-working and dedicated people on the RSS-public mailing list have been working hard to document how popular readers and services have implemented the specification, with the goal of helping publishers and consumers understand how best to get what they want.

The board recently published another draft (version 1.20) of the RSS 2.0 Best Practices Profile, which includes information on how various consumers use the <ttl> element, as well how to implement some commonly-used RSS extensions (like the Dublin Core and Slash extensions).

The profile is still evolving, so, if you're interested in getting involved, the best place to start is on the RSS-public mailing list. If you're implementing a new RSS publishing or consuming application, a quick glance at the profile would definitely help.

- Sean

In the last few weeks, we have got some questions about how to display the IE7 Feed View in RTL (Right-To-Left) reading order, which is used by several languages.

The good news: we do have support for RTL.

IE decides whether to show a feed in RTL reading order based on one of three things:

• The language that the feed publisher specifies in the feed
• The default language of the browser (only if the publisher does not specify a feed language).
• The manual reading order selection that the user makes (overrides either of the previous two)

If you are a publisher of an RSS Feed, here is what you need to do to make it show correctly.

IE‘s Feed View is looking for the RSS 2.0 language element (e.g. <language>en-us</language>), or the XML xml:lang attribute for Atom 1.0 feeds (<feed xml:lang="en">)  to determine which direction the feed page should have.

If the language the publisher indicates is known to be displayed RTL by default, IE will automatically switch the ordering. In this examples above (en is "English"), the feed will display as LTR (Left-To-Right). Conversely, if the language element is set to Arabic (<language>ar-SA</language> or just <language>ar</language> for RSS 2.0) the feed will be displayed in RTL (Right-To-Left) order.

Here is what the header of the feed should look like. The value of the language element should be changed to any of the values shown below, depending on the language of the content you are trying to display.

<?xml version="1.0"?> 
   <rss version="2.0"><channel> 
   <title>BBC Arabic News | الصفحة الرئيسية</title> 
   <link>http://news.bbc.co.uk/go/rss/-/hi/arabic/news/default.stm</link>
<language>ar</language>
...

(You can see this feed live in IE here to see what RTL feeds look like).

Atom 1.0 header should look like this:

<?xml version="1.0"?>
   <feed xmlns="http://www.w3.org/2005/Atom" xml:lang="ar">

The following languages will be displayed as RTL by default:

1. Arabic (ar-**)
2. Farsi (fa-**)
3. Urdu (ur-**)
4. Pashtu (ps-**)
5. Syriac (syr-**)
6. Divehi (dv-**)
7. Hebrew (he-**)
8. Yiddish (yi-**)

Please note: the language value must be in lowercase (e.g. ar-SA, he-IL, ur-PK, etc.). The second part of the value (which typically indicates the region), is not used in any way by IE's feed view, and may be omitted.

When the language tag is not included by the publisher, the default IE language is used. For example, if you’re using an English version of IE, then all feeds without the language element are treated as LTR. If you’re using a Hebrew version of IE, then a feed without the language element is treated as RTL.

Finally, there are times when the feed’s language is different from the default language, and the feed language element is not set by the publisher.  In this case, you can manually change the layout to RTL or LTR using the Page menu, encoding-> Right-to-Left Document: or via right-clicking directly on the page itself. See image below:

Hope this helps,

Nick Achmon,
Software Development Engineer in Test

Sam Ruby pointed out HTTP 410 GONE support in feed readers or rather the lack thereof. He links to the list of User-Agent strings that continue to request the feed that is gone. One of the entries points at the Windows RSS Platform as an "offender":

Windows RSS Platform/1.0 (MSIE 7.0; Windows NT 5.1)

It's listed with 282 hits. At first I was surprised to see the Windows RSS Platform in that list since we specifically added 410 GONE support. But then it dawned on me: That's not the Windows RSS Platform!

Well, it is, but it isn't. The above User-Agent string is the one from the Beta 2 Preview release (Jan 2006) of the Windows RSS Platform. The User-Agent string changed in Beta 2 (April 2006) to the final string:

Windows-RSS-Platform/1.0 (MSIE 7.0; Windows NT 5.1)

I described the string here a year ago. See the difference? The dashes instead of spaces! Why the change? Well it turns out that the product token of the User-Agent string may not include spaces, since spaces delimit product tokens and comments.

So it turns out that there are still people running the Beta 2 Preview version of the Windows RSS Platform, or some application is "faking" the User-Agent string.

Either way, I just verified that the RTM version of the Windows RSS Platform handles 410 GONE correctly. I used the following Powershell script:

$fm = new-object -comobject "Microsoft.FeedsManager"

$feed = $fm.rootfolder.CreateFeed("gone","http://www.intertwingly.net/blog/index.rss")

$feed.SyncSetting

$feed.Download()

$feed.SyncSetting

When you run it you will see that the SyncSetting property is changed from 0 to 2 after the Download() call. Note that the SyncSettings are defined as:

typedef enum {     

FSS_DEFAULT = 0,     

FSS_INTERVAL = 1,     

FSS_MANUAL = 2

} FEEDS_SYNC_SETTING;

FSS_DEFAULT - Use the system-defined DefaultInterval value.

FSS_INTERVAL - Use the Interval value defined by the feed.

FSS_MANUAL - Do not automatically update the feed. Use Download to manually update the feed.

which means that the feed initially uses the default sync interval to get updated. Upon download, the setting is changed to Manual since a feed that is GONE should no longer be updated automatically.

- Walter vonKoch

It's been quiet here for a couple months, but plenty of things have been happening in the RSS world. Most recently, Windows Live Spaces had an update (more at the Space Craft blog).

Mike Torres, all-powerful lead PM on the Spaces team dropped me note to point out that they went RSS-crazy in this update, with category feeds, feeds for every list (even a feed for all lists), profile feeds, comment feeds, a feed of your friends, and even a feed of all of the feeds on your space.

It's fantastic -- everything you might want to get is accessible via RSS!

Mike's blog post has all the details.

- Sean

Last summer, we had a couple of interns on the RSS team here in IE: Nate Furtwangler, a developer intern, and Chrix Finne, a Program Manager intern. Nate and Chrix both did an amazing job helping us to ship IE7 and Vista, and they also found the time to knock out a really cool project. Here's a big thanks from all of us to them.

I'll let Chrix describe the project (and their experience) in his own words. In case you're wondering, the "where's Sean's office" thing is a reference to Chrix's decision that it would be fun to relocate my office to the roof of the parking garage while I was on vacation. Good times.

- Sean

Hi! My name is Chrix Finne and this past summer I was an intern Program Manager on the IE RSS Team – also known as ‘Team RSS got new digs so the interns got a window office.’ I had the privilege of working on several cool projects this past summer, and had a blast while doing it. Shoutout to my officemate Nate Furtwangler, developer intern and my partner in crime. Though they consumed far fewer Swedish Fish than Nate and I, my mentor Jane “where’s Sean’s office?” Kim and my manager Sean “Romulus” Lyndersay were also awesome and kept me on my toes. Congrats to the whole team on IE7 and Vista RTM!

We are proud to announce that our intern project, Feeds Plus also shipped! It’s a free IE7 add-on that adds two features to the Windows Feeds experience: aggregation and notification. We hope that Feeds Plus will help users get more flexibility and engagement with feeds in Windows.

Feeds Plus, running in the background, can combine multiple feeds into a single, river of news-style feed. All the user has to do is turn on Feeds Plus’ aggregator, and every folder of feeds will sprout an aggregate feed at the top. This can be very useful – for instance, I can make a folder with all of my news feeds and then read all my news at once through the News’ aggregate feed. Read/unread information is synced between the aggregate feed and its children, and aggregate feeds are searchable just like any other feed. If multiple feeds use Simple List Extensions (SLE) then the corresponding aggregate feed will as well – this is cool because you can combine multiple different eBay feeds, and use SLE to sort by price across all of them.

A pop-up feed notification reminiscent of Outlook’s is the second feature in Feeds Plus. The Windows Feed Download Engine always runs in the background, so users have to check to see if new items have arrived. With Feeds Plus, the user can choose which feeds matter most to them and get a pop-up ‘toast’ as soon as those feeds have new items waiting. The pop-up is designed to be unobtrusive—it fades in and out and won’t go crazy and flash every half second—and it includes a handy link to the feeds that it’s announcing:

Feeds Plus is an unsupported IE7 add-on (meaning that it’s not supported by Microsoft technical support or by the IE development team). One important note is that it does not have accessibility support in this release. Don't use it if you're uncomfortable using unsupported software.

Download Feeds Plus here.

So, that’s Feeds Plus. I also had the chance to help design the Feed Headlines gadget on the Windows Vista Sidebar. Feed Headlines shows the user a scrolling list of headlines from one or many feeds with a nice little preview window and links to the browser. It’s a great way to keep content handy – I keep an instance pointed at Engadget that I use to procrastinate all the time.

My favorite thing about Feed technology in Windows is how much freedom it gives the user to choose how, when, and where to consume different types of web content – from news feeds to Craigslist searches. I think that it’s critical to provide different ways to read and consume the feed content that’s coming in, so I hope you enjoy these little feeds extras.

Yours,

Chrix Finne

PS – One shameless plug: Nate and I were lucky enough to get interviewed by Channel 9, so if you want to see those Swedish Fish for real, keep an eye on Channel 9 (hint: they have a feed). They’re on the middle shelf above the demo laptop.

We've received some reports of users noticing that their feeds subscription stop updating after upgrades. Our investigations show that these tend to occur after upgrades from one pre-release build of Windows Vista to another version.

If you're encountering this issue, first make sure that the feed URL is still valid by manually updating the feed (press F5 while viewing the feed in IE7). If no error shows up, then the following steps might help diagnose and fix the issue. Please let me know if they help/not help.

Note: The following steps are *not* addressing Outlook 2007's RSS support. If you are having issues with feeds in Outlook please refer to the Outlook blog.

Actions

1. Check if Task Scheduler is running

   sc queryex schedule

   Look at the "STATE:" line, it should read "4 RUNNING" if it's not running, then start it

   sc start schedule

2. Check if RSS Download Engine is running

   reg query HKCU\Software\Microsoft\Feeds /v SyncStatus

   Look at the "Status" line, it should read "0x01" or "0x1". If it isn't enabled, then enable it

   msfeedssync enable

3. Check if task is corrupted

   schtasks /query | findstr /i "user_feed"

   Look for

   ERROR: The task image is corrupt or has been tampered with.

   ERROR: Task cannot be loaded: User_Feed_Synchronization-{..

   If corrupted, then delete and re-create the task

   msfeedssync disable

   msfeedssync enable

If your feeds are still not updating in the background after following these steps (you'll have to wait for the download interval to pass to make sure), please send us an email at teamrss[at]microsoft.com.

- Walter vonKoch

Program Manager

[4/2/2007] Updated step #2 that "0x01" and "0x1" are possible values. This are the same in this context.

[10/12/2007] Inserted a note that this post does *not* help with Outlook 2007, this post is focused on the Windows RSS Platform and applications built on top of the platform, for example: Internet Explorer 7, Vista Sidebar Feed Gadget, …

It's always fun when a story hits the blogosphere while you're stuck on a plane. :)

This will be short, because I'm connecting over a 14.4K modem line (I have the deepest sympathy for folks who still do this every day!), but I just want to say a few basic things about the RSS-related patent applications mentioned in the article and elsewhere.

First, these patents describe specific ways to improve the RSS end-user and developer experience (which we believe are valuable and innovative contributions) -- they do not constitute a claim that Microsoft invented RSS.

We have always fully acknowledged the innovators and supporters of RSS, like Dave Winer, Nick Bradbury and many others, and I can say, without hesitation, that I and my colleagues personally have the deepest respect for their invaluable contributions.

From the beginning we have sought an open and reasonable relationship with the RSS community. As one example, we have published various RSS and Atom extensions under a Creative Commons license. These specifications provide proof of our commitment to offer our contributions to the community and evidence of our efforts to advance the technology. We honestly hope that our work brings benefit to all feed publishers, developers and users, and we've been happy with the response we have received from the community so far.

Finally, as a number of commenters have noted, we are far from the only company to apply for patent protection in this space. Other companies, including Apple and Google, have apparently also applied for patents. Applying for a patent on your innovation is common industry practice, and one which, by incenting and protecting the companies and people involved, encourages everyone to contribute to the community.

I hope this helps put our position in perspective. I want to reiterate that my team and I are fully committed to RSS and feed syndication technologies in general and to the community. Please post any additional questions (I'm sure you didn't need an invitation :), and I'll get back to them in the new year.

Thanks,

Sean Lyndersay
Program Manager Lead, RSS

A while ago I posted details about the RSS Platform Download Engine. That post focused on downloading of feeds, but did not include additional details on enclosure downloads.

Enclosures are, as most readers know, files that are "attached" to items in an RSS feed. Typically, a publisher will include a reference to a binary file, which an RSS aggregator can optionally download when the feed content is downloaded. The most common example of enclosure use in RSS feeds is for podcasting, where the attached (or "enclosed") files are audio files.

As with feed download, we designed the enclosure download with server and client bandwidth in mind since feed as well as enclosure downloads also happen in the background. Their impact on foreground applications should be limited. Similarly, the impact of large enclosure downloads on servers should be limited.

Let me sketch how the enclosure download process works:

1. Every time the feed download engine runs it processes feeds that have the "Automatically Download Enclosures" setting set to true it. If it comes across a new item with an enclosure it adds the URL of the enclosure to a FIFO queue.
2. Before the enclosure is added to the queue, the URL is checked with Attachment Execution Service API (AES) to assure the enclosure file type is one of the permitted types. If it's not, the enclosure download is failed (IFeedEnclosure.LastDownloadError = FDE_DOWNLOAD_BLOCKED).
3. The first 4 enclosures in the queue are then handed off to the Background Intelligent Transfer Service (BITS). BITS is a background download service that ships in Windows and which enables downloading of files in the background while limiting its affects on network usage. In particular, BITS uses HTTP RANGE requests to download files in chunks. BITS also monitors whether foreground applications (like email or browser) are using the network, and if so, it throttles back its own network usage to limit its impact on those applications.
4. Once BITS completes downloading an enclosure, the Download Engine uses AES to save the enclosure to the folder corresponding to the feed. Saving via AES associates zone information with the file. The zone information is used when the file is launched at a later time.
5. If there are more enclosures waiting to be downloaded and there are less than 4 enclosure downloads active, the next enclosure is handed off to BITS as in step #3.
6. If, however, the server of the enclosure does not support HTTP RANGE requests, the Platform Download Engine falls back to downloading the enclosure via a regular HTTP GET request. If this attempt fails as well, then the enclosure download is fails and will not be attempted again automatically.

      

Note that the enclosure fall-back download (HTTP GET) is size limited to 15MB to limit the impact of denial of service (DoS) attacks against the RSS Platform Download Engine. Since the RSS Platform Download Engine runs in the background, a malicious server could consume all of the client's download bandwidth without the user having any idea. Enclosure download via BITS (HTTP RANGE requests) is less impacted by such an attack and is consequently not size limited.

In other words, if you are an enclosure publisher that wants to serve enclosures larger then 15MB to IE7 users, then you should use HTTP servers that support HTTP RANGE requests. Most popular web servers support HTTP RANGE requests.

It's also worth noting, that when a server does not support HTTP RANGE requests, the RSS Platform Download Engine will issue two requests for each file (the first testing for HTTP RANGE support, and the second to download the file without range support).

For more details on the security measures used to protect applications and users from potentially malicious enclosures, see Miladin's enclosure security post.

I hope that this description of the enclosure download process explains the "multiple-requests" that some publishers have seen, as well the security restrictions associated with enclosure downloads.

-Walter vonKoch

Program Manager

As noted pretty much everywhere on the web, Windows Vista launched (for businesses) last week.

Windows Vista includes IE7 and the Windows RSS Platform, and is therefore the first Windows operating system to ship with built-in support for RSS (and the first OS of any kind to have RSS support built-in as a native platform component).

Windows Vista is, in fact, the fulfilment of a promise we made over a year ago at Gnomedex 5.0: Longhorn loves RSS.

In addition to the reading experience in IE7, and the platform features, Windows Vista also include the new Windows Sidebar, which ships with a Feed Headlines gadget.

The team that built the gadget have written up a great post on how the gadget was built, and how they leveraged the RSS platform to make development much easier for themselves.

Read their post here: Building the Feed Headlines Gadget.

In case you haven't seen the gadget in action, the screenshot below shows the gadget after the user has clicked on a headline (I've configured it to show the headlines from the MSNBC News feed).

Many thanks to the folks on the Sidebar team that developed such a great gadget, as well as to Chrix Finne, who interned on the IE RSS team as a PM this past summer, and helped out the Sidebar team with feature design for this gadget.

- Sean

 Note: Apologies to readers who downloaded an earlier version of this post, which used a photograph taken by Niall Kennedy and posted on flickr.com. He did not appreciate the usage, and replaced it with a different image. I forgot to include an attribution, which I had fully intended to do, but for which I apologise to him.

It's been a hectic week.

Between getting thrown in a fountain (that's my boss, Group Program Manager of IE, but almost everyone went in at some point), and being filmed for Channel 9 video (say hi to Arvind, Will and Cindy, about half of the RSS test team), I forgot to post a note here. But, I figured that most people had probably heard that IE7 for XP (including the Windows RSS Platform) shipped last Wednesday.

But, in case you haven't... Dean Hachamovitch (GM of IE) has a post over on the IEBlog that covers all of the goodness that's in IE7. There's some good information on how to give feedback and get support, and the plans for Automatic Update distribution of IE7.

Now that the week is over, I'm taking a minute to reflect. Building IE7's RSS features and the Windows RSS Platform have been a great ride all of us on the RSS team. More importantly, it is abundantly clear that we could not have done it without the feedback and comments from all of you (anyone remember the icon posts?).

So, on behalf of the whole team: thank you.

As Dean said in his post, we have already started work on plans for the next version of Internet Explorer (which includes, of course, plans for the next version of the IE RSS features and the Windows RSS platform). So, feel free to use the comments on this post to let us know what RSS features are on the top of your must-see list for the next release.

Thanks again,
Sean

The folks at Attensa make a slick RSS aggregator that integrates with Outlook and provides a River of News-style view with priortization based on what feeds you use the most.

Not too long ago, they released version 2.0 of the Attensa for Outlook product. Along with a ton of other great features, it includes synchronization with the Windows RSS Platform, so when you hit that RSS button in IE, the feed can automatically show up in Attensa -- which is great if you're using Attensa as your primary RSS reader.

This has been one of our guiding principles in IE7 -- you don't have to read your feeds in IE. By using the open APIs of the RSS platform, developers of innovative new RSS readers like Attensa can gain access to the orange button in IE7 that Steve Rubel loves.

Attensa works with Outlook 2000, Outlook XP and 2003 (Outlook 2007 support is in the works). If you're an Outlook user, you should definitely check it out. It's free -- so it's an easy choice if you're looking to try out something new.

- Sean

One question we get asked occasionally is:

How do I back up my feed list?

Well, it turns out that there is a standard way to save a feed list in a single file for backup or other purposes. It's called OPML, and IE7 supports importing and exporting feed lists via OPML.

Here is the step-by-step process for backing up your feed list to an OPML file in IE7:

1. Click on the Add button (the star and plus button next to the Favorites Center button -- Alt-Z is the keyboard shortcut).
2. Click on Import and Export in the menu.
3. In the wizard, select Export Feeds from the list of options and click Next.
4. Select where you'd like the file to be put (by default, it's called feeds.opml, in your Documents folder)
5. Finish up the wizard.

The OPML file generated will contain your entire feedlist, including any folders you may have created. Simply repeat the process (selecting Import Feeds) to restore a feed list.

As I noted above, OPML is the standard way to save a feed list, and it's supported by pretty much every aggregator out there. You can use the steps above to save your feed list to use in another aggregator or to import a feed list created by another aggregator.

Since IE7 uses the RSS platform, you can also use this technique to import or export lists of feeds from and to any application that uses the RSS platform.

Oh, and by the way -- IE7 is coming this month.

Sean

What better way to spend a Friday afternoon (Redmond time, at least), than by filling out a quick 8 question survey on your RSS reading habits, hosted by the MSR Asia Center for Interactive Design?

Even if you don't take the survey, the results will be publicly available on Oct 20th (and there's even a results feed to which you can subscribe to get them when they are available).

Check out the post on the team's blog as well.

- Sean

Have you wanted to use the Windows RSS Platform from C++? Unlike managed code or script there is no simple way to create header files with the declaration of the IX.. interfaces which are designed for use from C++. Of course the msfeeds.h header file is included in the Windows SDK. If you are hardcore about Windows development you might already have it installed. However, not everyone wants to install the 1GB+ just to get the msfeeds.h header file.

Fear not, I've recently posted on my blog a MiniSDK which includes the required headers to use the RSS Platform from C++. I hope this will save you some time and effort.

-Walter vonKoch

Greetings,

I am one of the developers on the RSS team, and to complement Sean’s and Walter’s recent postings on feed security, I would like to talk about one topic that didn’t get as much attention in recent discussions on feed security as perhaps it should have - feed enclosures. Enclosures are files “attached” to feed items, commonly used in podcasting and often automatically downloaded to user’s machine by aggregators.

In IE7 and the Windows RSS Platform, we have taken a number of precautions to protect users and developers against feeds which may attempt to use enclosures in malicious ways.

To begin with, when a user subscribes to a feed in IE7 enclosure downloads are turned off by default. Users can easily opt-in to enclosure downloads via the feed properties.

We also treat enclosures as inherently un-trusted files – in many ways similar to email attachments. We decided not to permit directly-executable (i.e. any file that would execute arbitrary code when double-clicked) or other dangerous files to be downloaded as feed enclosures (there are no common scenarios that require this today, and if it is absolutely necessary, it is possible to wrap an executable file in another format, so that it is no longer directly executable). For this we use the most flexible mechanism possible, the Attachment Execution Service (AES). In simple terms, the AES maintains a list of file extensions that are considered dangerous, including the directly-executable file types, which the RSS platform consults to decide whether or not to block a file.

Besides blocking the dangerous file types, AES also has a mechanism which allows security programs, such as anti-virus or anti-spyware, to integrate with it, allowing them to inspect files before we make them available to developers or users. Windows Defender has implemented this integration, so on Windows Vista (or if the user has installed Windows Defender on Windows XP), the user will gain that additional level of protection from the malicious files.

IE also has a mechanism to block file downloads on a per-zone basis, so before fetching the enclosure we also verify that downloads are allowed for the URL. You can find this per-zone setting in your Internet Options, under Security tab. The simplest way to prevent enclosure downloads from a site is to add it to the Restricted Zone, where downloads are disabled by default.

If an enclosure download does get blocked for security reasons, this is reported in the feed view as well as through the RSS platform’s LastDownloadError property.

Downloaded enclosures are stored in a subfolder of the Temporary Internet Files folder. The full path to the enclosures is different on every machine, preventing malicious feeds or other malicious code from using enclosure downloads as a vector to get known files on the system, as well as ensuring that other applications don’t unknowingly access enclosure files. If an application wants access to the downloaded enclosures it needs to obtain the path from the RSS platform.

To summarize: enclosures are treated as un-trusted files, and the following security mitigations are used:

• Enclosure download is off by-default for all feeds.
• Directly-executable files are blocked from being downloaded, using the Windows Attachment Execution Service (AES).
• Anti-virus and Anti-spyware applications (like Windows Defender) can integrate with AES to dynamically block malicious files.
• Files are stored in a variable location on each PC, ensuring that applications must opt-in to consuming the enclosures.

As before, we want to make sure all aggregator developers know that the tools we are using to make IE and the RSS platform more secure are available for their use as well:

• AES can be utilized through the IAttachmentExecute interface.
• To determine if file downloads are allowed, applications can invoke the ProcessUrlAction method to query for URLACTION_SHELL_FILE_DOWNLOAD.

Once again, we would like to reiterate our commitment to working with the community to improve feed security, and as always we are open for your feedback and questions.

Thank you,

Miladin

Update 9/25/2006: Added a summary paragraph for clarity

Earlier this year at Mix06, Greg Reinacker and I did a talk on the RSS platform, during which he demo'd tool to synchronize the RSS platform state with NewsGator Online.

Yesterday, Nick Harris announced that the sync app, now known by the name of "NewsGator Desktop Sync" has gone into beta, and is available for everyone to download.

From Nick's post:

Desktop Sync is a system tray application that keeps your feeds, folders and read states synchronized between NewsGator Online and the Windows RSS Platform.  This means that any application that uses the Windows RSS Platform will be automatically synchronized with your NewsGator Online account!

Check out Nick's post for information on where to download and where to give feedback (you'll need IE7 RC1 or Windows Vista RC1, and a free NewsGator Online account  for it to work).

I just want to also use this opportunity to thank Nick, Greg and the others at NewsGator for their great feedback on the RSS platform. It has been great working with them.

- Walter vonKoch

Shortly after the SPI Dynamics presentation that sparked a renewed discussion on feed security in the community last month, James Snell developed a suite of tests (based on an earlier set by James Holderness), and generously made them available quietly to aggregator developers. He has now made the tests public.

I contacted James last month (via email as he requested) and he pointed me to the test suite, so we could test them against our own security mitigations. We have done full test passes using his test suite.

The result: IE7 passed all of the tests (which means that no script from the feeds executed successfully in IE, and that developers using the RSS platform would not have been vulnerable to the class of attacks in the tests). This confirms SPI Dynamic's findings that IE7 was not vulnerable to the attacks described in their paper.

I thought it might be useful to use this opportunity to talk about our commitment to security, the defense-in-depth strategy that we have taken, and how other aggregator developers might benefit from the work we have done.

Our commitment to security

To put it bluntly, we are keenly aware that IE is a target for security researchers and hackers. We know we cannot afford to be lax in how we approach security. It has therefore been our #1 guiding principle that we would aim for a secure experience first -- sacrificing functionality, if necessary, to achieve it. 

Long-time readers may remember this post from last November, in which we announced that we would only support well-formed XML in feeds -- the post was the direct result of a long internal discussion about ways to securely handle malicious feeds. Refusing to handle malformed XML eliminates a large class of potential attacks.

Walter posted last month on the details of how IE7 and the Windows RSS Platform protect users and developers from script in feeds. To summarize what he wrote, IE7 employs a (roughly) two-level defense-in-depth strategy:

• Sanitization: First, the Windows RSS Platform uses several techniques to strip out script (and several other variations of malicious HTML) before storing the feed content.
• Restricted Feed View: Second, just in case the first step misses something, IE's feed view uses a variation on the Restricted Zone to show a feed, meaning that no script in a feed will run, even if made it through the previous step.

Each of the two defense-in-depth steps described above require a significant amount of code and investment, but security has been always important enough to us that they where the first major pieces of development that we did when we began implementing the RSS features. In fact, these security features have been in place since the first public release of the IE7 RSS platform features last February.

To give you a sense of what is involved -- at one point in development, the sanitization code accounted for fully one-third of all the code in the RSS platform. The code takes lessons from similar libraries used for years to clean the billions of messages that Hotmail receives, and used for a number of releases in various parts of Office.  It includes a number of feed-specific additions (for example, if an element is supposed to only contain text, then we can remove all HTML, not just the script). We validate and sanitize every documented element in each format we support, as well as a set of common RSS extensions. This is all done before an item is ever stored on the system.

In IE itself, the "restricted feed view" was also a significant challenge because of the interactive nature of a feed view. We designed and developed a feed view that required no javascript for the various controls (subscribing, filtering, sorting, or searching) to work. In fact, the IE7 feed view implementation is effectively that described by Nick Bradbury in his recent post on feed security (using a script-less page, and manipulating the view from the hosting code).

The bottom line is that IE takes security very seriously. We have invested a great deal of time in hardening IE7 across the board, and nowhere more seriously than in our RSS features. It is an ongoing process, however, and we deeply appreciate the efforts of those in the community who have developed additional security tests and allowed us to use them.

Looking forward

We also look forward to continuing to work with the community to improve the security of all aggregators. To that end, we want to make a couple offers to developers of Windows aggregator developers: 

• First, you should feel free to contact us if you have questions that come up while implementing a fully restricted feed view using the techniques that Nick talked about in his post. If there is enough demand, we may write a blog post on how the IE feed view is built, so people can learn from what we’ve done. 
• Second, the Feeds API includes a utility function called Normalize(), which can be used to gain access to the platform's HTML sanitization code. Contact us if you'd like more information on how you could use this to supplement your own sanitization code. 
• Finally, I’ll make the obvious point that the entire platform is available for your use, including not just the security features described here, but storage and a suite of bandwidth management features. I understand, of course, that for many existing aggregator developers, switching storage and download engines may be too significant a change in their applications, but I do want to encourage developers of new applications to consider it.

Thanks for reading,
Sean

PS. Of course, there will be some readers who see this post as a challenge and start looking for exploits in IE's RSS features. If you do find any, please let us know! :) We know that no security is perfect, and that it is an on-going process.