One of the bugs I fixed for Confluence 2.2 was [CONF-5847] Add authentication to discoverable RSS feeds when user is logged in.
Most of the pages in Confluence that contain lists of content — the dashboard, recent updates pages, blog/news lists and so on — also come with associated RSS feeds. You can find these feeds by looking for the feed icon in the top right corner of the page, or browsers and newsreaders can locate the feed URL automatically using a standard autodiscovery protocol.
So far, so good.
One problem we’ve had with RSS is that of authentication. You log into Confluence the same way you log into most web applications: by typing your username and password into the login form and having your browser store a session cookie that identifies you. This mechanism doesn’t work for RSS. If you want an authenticated RSS feed, you either have to encode the authentication information into the URL itself (so if someone gets hold of the URL, they can use it to get your private information too), or by having the user authenticate with HTTP Basic Authentication. Almost all RSS readers support Basic Authentication, so that’s what we went with.
The next problem is that Basic Authentication doesn’t support the option of not logging in. Either a resource requires a username and password, or it doesn’t. There are ways around this, but none of them are user-friendly. Our solution was that there are two types of feed in Confluence: anonymous feeds that require no login but only give back the information an anonymous user might see, and authenticated feeds that require a login and give back all the information the authenticated user can see.
Still, so far so good.
CONF-5847 arose because our autodiscovery feeds were all anonymous. This meant that when you hit the subscribe button in your browser, you often wouldn’t see anything in the feed because all the content you were viewing was protected and the anonymous feed didn’t give you access to see it. My simple solution was to set a flag so that if the user was logged in, autodiscovered feeds would also be authenticated feeds.
Enter the Google Toolbar.
For some reason, the Google Toolbar, when it finds RSS autodiscovery in a web page, pre-fetches the feed without any user intervention. And since the feed being pre-fetched requires basic authentication (which none of the rest of the site does), suddenly users are being faced with an ugly browser login prompt for a site they already think they’re logged in to.
Pre-fetching of the feed wasn’t something I anticipated, largely because the feed is, by definition, an alternate form of the page you’re looking at. The autodiscovery mechanism even labels it <link rel=”alternate”…>. Automatically downloading the RSS version of a page you’re already viewing would be as redundant as automatically downloading the PDF version.
The fix is pretty simple. Even when we specify basic authentication, we should check the regular cookie login first just in case. But still, it’s just another example of why pre-fetching web content is evil.

Prefetching is Evil #13552