Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

It’s My (Third) Party, and I’ll Cry if I Want To

It’s My (Third) Party, and I’ll Cry if I Want To

Like it or not, a huge part of modern web development involves the use of third-party providers: fonts, analytics, ads, tracking, and more all have an impact of performance, and can leave us (or, more worryingly, our visitors) susceptible to performance degradation.

In this talk, we’ll take a look at unruly or uninvited (third-)party guests: how to detect them, how to audit them, and how to manage them. We’ll also look at the different tools available to help us stress-test and quantify the overhead these third parties bring, and what that means for users and businesses alike.

Harry Roberts

May 11, 2018
Tweet

More Decks by Harry Roberts

Other Decks in Technology

Transcript

  1. It’s My (Third) Party, and I’ll Cry if I Want

    To Harry Roberts • @csswizardry
  2. “ “YouTube was recently caught displaying ads that covertly leach

    off visitors’ CPUs and electricity to generate digital currency on behalf of anonymous attackers…” — csswz.it/2ruKhN0
  3. “ “There is zero performance overhead to using our synchronous

    script [...] our typical response time is around 200 milliseconds”
 
 — Third-Party Provider
 — Ryan Townsend (csswz.it/2K4w2GB)
  4. “ “The Trainline reduced latency by 0.3 seconds across their

    funnel and customers spent an extra £8.1 million a year.”
  5. “ “For every 100ms decrease in homepage load speed, Mobify’s

    customer base saw a 1.11% lift in session based conversion, amounting to an average annual revenue increase of $376,789.”
  6. $ awk -F',' '$2 != "Target Site" { print $1

    }' cnn.csv Field Separator
 is a comma If the second entry
 is not ‘Target Site’ Print the first entry
 (Domain)
  7. ## # Point third-party domains at WPT’s blackhole server. ##

    72.66.115.13 platform.twitter.com 72.66.115.13 connect.facebook.net 72.66.115.13 fonts.googleapis.com Blackhole
 Server
  8. “ “All your users are non-JS while they’re downloading your

    JS.” —Jake Archibald (csswz.it/2FGKrpW)
  9. “ “In this particular instance, the T-Mobile JavaScript comment stripper

    appears to be searching for ‘/*’ and ‘*/’ and removing everything in-between. ” — csswz.it/2KE2lNQ
  10. Necessary Evil Is it?
 Really? Might it add
 real value?

    They can’t
 All be evil! Tracking scripts
 Are pretty icky Does it help
 users? Would we
 even miss it? What are the
 chances of something
 going wrong? Is the benefit
 greater than the cost?
  11. “ “Can you talk me through Google Tag Manager?
 What

    does this particular third-party do for us?
 Who is responsible for this service?
 Which services do we use daily?
 Are there any services in here that we don’t recognise?”
  12. Self-Hosting Third-party assets from a first-party origin Controlled infrastructure Reduced

    network negotiation (DNS, TCP, TLS) Dictate your own caching strategy Preload!
  13. Load Asynchronously Synchronous (blocking) third parties create a SPoF Use

    any provided async method Most providers give an async loader… …be suspicious of any who don’t.
  14. Resource Hints Every trip to a new origin carries overhead

    (DNS, TCP, TLS) Deal with this ahead of time for known third-party origins Analytics services, font providers, ad networks, etc.
  15. {% if page.layout != "feature" %} <link rel="preconnect" href="//cdn.carbonads.com"> <link

    rel="preconnect" href="//srv.carbonads.net"> <link rel="preconnect" href="https://cdn.speedcurve.com"> <link rel="preconnect" href="https://cdn.syndication.twimg.com"> <link rel="preconnect" href="https://platform.twitter.com"> <link rel="preconnect" href="https://syndication.twitter.com"> {% endif %} {% if page.page-class == "page--services page--workshops" %} <link rel="preconnect" href="https://gumroad.com"> {% endif %} <link rel="preconnect" href="https://www.google-analytics.com">