Geoffrey Meredith
Thoughts on Technology


(posted on 28 May 2008)
I received an interesting message yesterday from a developer using Microsoft's Silverlight (I suspect a Microsoft employee).  He was trying to read a RSS feed from the website but couldn't because did not have a cross-domain policy file.   My immediate thought was "What's Microsoft attempting to do to RSS?"  It felt like some kind of Trojan Horse, sneaking in with the Silverlight runtime.

My "expertise" in Silverlight cross-domain policy requirements consists of about 10 minutes reading the provided references, so I could be completely wrong about all of this but here are my concerns about using this for RSS.

Microsoft seems to have modeled this on Adobe's cross-domain policy file (/crossdomain.xml) and will fall back to this file if it doesn't find it's perferred /clientaccesspolicy.xml.  The idea being that client software that supports the use of this policy file will use it to decide if the content on a given website is allowed to be used by the client.  So for Adobe Flash or MS Silverlight runtimes, it's a way to prevent someone from creating an application that access resources from a website that does not explicitly give it permission.  (I'm assuming that this is a technical permission and does not assign copyrights but I'm Not A Laywer). 

I don't know how effective this has been for controlling cross-domain usage of Flash resources but it seems superficially viable.  Especially with the Flash file formats and players that were at one time proprietary (are they still?)  This could provide for a type of DRM, regardless of it's effectiveness.

The problem with applying this kind of DRM to RSS is that in some respects, a RSS file *is* a content policy file.  It kind of says: "Instead of scraping data from my website's HTML pages, I'll give you this data in an nice machine readable format so you will get it right and so I can have some say in what and how it is presented."  By having an RSS feed, we are saying you can use this data in the RSS file but leave the rest of what's on the website alone.  I don't know how much legal standing this has but there does seem to be a pretty clear common sense message in RSS.

So over the last 8 years RSS has developed with a fairly universal understanding that its reasonable for any software to import and use it (within the bounds of copyright) and that if the publisher doesn't like this, then don't publish it.  If you want to restrict access to an RSS feed, use technology (such as HTTP basic authentication) to do that.

So why is Microsoft demanding a new layer of permission system (DRM) to be present before a Silverlight program can access resources that have been considered completely open?  Is this just the side effect of overly intrusive legal counsel?  A beta software problem where RSS was just thrown in with media files types and no one considered this issue?  Or is just another example of Microsoft's long history trying to turn open standards into proprietary Microsoft monopolies?