MetaWeblog

This article is a stub. You can help the IndieWeb wiki by expanding it.

The MetaWeblog API is an outdated (superseded by Micropub) XML-RPC based API for CRUD operations between blog client and server software that depends on username and password being entered into clients (instead of OAuth) and sent over HTTP (often not HTTPS) and thus creating a security vulnerability for users.

Gateway

Aaron Parecki wrote an experimental MetaWeblog to Micropub gateway to translate the XML-RPC API requests to simpler Micropub requests.

• https://aaronparecki.com/2018/04/09/5/
• https://xmlrpc.p3k.io
• https://github.com/aaronpk/xmlrpc-micropub-bridge

Criticism

Security

The MetaWeblog API sends your username and password in plaintext in the body of the XML-RPC request. Anyone listening to the communication between your client and server is able to get your password. Ideally, one would not be using MetaWeblog to post entries over public wifi (say, on a smartphone).

Authentication at the application level is a layer violation. The Atom Publishing Protocol does not have plaintext username/password transmission but delegates authentication to HTTP.

Jacky Alciné 13 Apr 2022: The sending over credentials in the body seems like less of an issue if it's sent over TLS/HTTPS.

Encourages Password Antipattern

A service or application requesting and using a username/password from another service is a practice to be avoided known as the password anti-pattern.

The MetaWeblog API requires providing username and password for a service or server, to the MetaWeblog client application or service, and thus by design encourages implementations of the password anti-pattern.

Modern replacements for MetaWeblog like Micropub use IndieAuth/OAuth instead of requiring sharing of username/password credentials.

See Also

• http://en.wikipedia.org/wiki/MetaWeblog
• XML-RPC
• AtomPub
• Micropub