Some interesting responses to my complaint about feed readers stripping CSS:

• Nick Bradbury – Response: On Stripping Styles For Security
• Sam Ruby - Stripping Styles

There’s a common misperception that my complaint was about all styles but in fact I was just referring to inline styles on the basis that they are actually part of the content, not just presentation. Sam Ruby points to a feed from Wikipedia that is exactly the use case I had in mind. Many of the comments however want to strip styles to preserve a uniform look in a “river of news” type of reader, for example Nick’s comment:

The real problem isn’t security, though: it’s presentation (ironically). Leaving styles intact makes sense if you’re reading one post at a time, but it makes less sense in a river of news where posts from multiple feeds flow down the page. The purpose of a river of news isn’t to retain the presentation of any single post, but instead to provide a common presentation for all posts, making it easy to pick out the ones that interest you.

If you don’t download external stylesheets (which probably aren’t referenced by the feed anyway) there’s a very good chance that the resulting presentation will be consistent, without stripping out important visual information. Even if you’re reading one item at a time rather than a river of news, it’s far more efficient for the styles to be consistent so I doubt there’s any real call for rendering entries the same way they appear on the site. Consistency is important to everyone, but data loss should be a concern for everyone and right now we’re losing a lot of data.

Nick also commented that preserving styles while maintaining security isn’t too difficult and Sam Ruby and Paul Querna pointed to the sanitization rules wiki page, so the technical challenges seem to be solvable, but there’s still one problem: users. The thing is, people too regularly abuse HTML and use inline styles for presentation rather than just visual data either from a lack of understanding or a desire to push their advertising. How do we solve that?

The first line of defense is to remember that feeds are opt-in, if people misbehave and push advertising or generally do annoying things in their feed you can easily unsubscribe. Social pressure is always the best solution but it’s not 100% effective so we’ll probably need some technical measures as well.

The second line of defense unfortunately is likely to be user preferences1. It’s important that they are available on a per-feed level so that you can disable styles in feeds that do the wrong thing, but preserve the visual data in those that get it right. I wonder if there are a few simple heuristics that could be applied. For example stripping any style that’s applied to the entire content would fix the common case of people using inline styles to change the font face or size instead of just adjusting their stylesheet. I’m sure there are a few other simple rules that could be identified to prevent the most common abuses of inline styles without having to strip all CSS.

I’m glad there’s some discussion of this beginning as it’s the only way we’ll find good solutions that let us keep the benefits of feeds that we have and expand on them by leveraging newer technologies.

1 – unfortunately because complicating software by providing more options is never ideal↩