I’ve seen that every embedded website called “original” gets a short url. This may be problematic when users add personalized/private feeds since the attacker only has to add all possible numbers to the url, e.g. newsblur.com/reader/page/12.
You’re right, it’s partially insecure. Maybe I could add a check to that view to see if you are both a) logged in and b) subscribing to it. However, all it would take is for a user to subscribe to the feed, which isn’t easy since they don’t know the url and user/pass combination.
The only problem is figuring out whether or not to check all of this, just based on some arbitrary criteria. I don’t want you to have to mark that a feed is private just to remove it from easy public access.
Thought about an option in the feed settings, too.
An other option is to simply pass the whole URL of the requested site. But in this case you have to add a validation/authentication hash or something to prevent abuse of your service since the ID database lookup is missing.
Anything new here?