Third-party means not you or me, but them.
🔗 3 shares
My customers often ask how a third-party asset got on their site. A director of digital once told me that Facebook was not on their site, not at all.
I ran the homepage through WebPageTest and sure enough, there were a bunch of calls to various subdomains of facebook.com. Thankfully WebPageTest stores initiator, referer and redirect headers; so with a little work you can find out where these third-party calls come from. The director was correct, there were no calls to Facebook on their site. It was a third-party creating fourth-party calls to Facebook! This can have serious ramifications if the Facebook (or any other third-party call) affects customer experience. Radware explain this well in an article from 2011
Trawling through the initiators and referers was a headache so I wrote a tool to do it: requestmap.webperf.tools
The request map runs a test in Chrome on public WebPageTest and uses the initiator, referer and redirect data to work out where every request comes from. Here’s the result when you run Google.co.uk through the tool:
From the picture I can see immediately that the bulk of the content on the page comes from www.google.co.uk (size of blob is proportional to percentage of total bytes). There is a redirect from google.co.uk -> www.google.co.uk and a number of requests from other Google-owned domains.
It all looks pretty simple on Google.co.uk, there’s basically nothing on it. But when it comes to an ecommerce site or a site generating advertising revenue, third-parties are everywhere. Whether they are for analytics, advertising, tracking, attribution… third-parties make people money. As such, they tend to be added to sites without much consideration for management of the relationship, the technology and (dare I say it) third-party SLAs.
Take the answers.com homepage as an example:
Here you can see that the root domain (www.answers.com) makes up a small proportion of the total page weight. This site uses domain sharding across a number of CDN domains (in yellow) to maximise performance for high-bandwidth customers. One CDN subdomain stands out from the others though: rxf3.answcdn.com is the big yellow blob on the right. Almost 500kB of content comes from this domain but, more interestingly, it initiates calls to Google and Facebook which then spawn requests to another six domains!
Another observation is based on the length of the edges on the map (the lines which join the blobs), these are proportional to the mean response time of that domain. Blobs that are far away from the target site on the map are far away from the customer’s experience. A single asset from www.dsply.com (far left) took over 1.1s to load less than one kilobyte of content! It also took almost a second to load two kilobytes from snip.answers.com. Are these assets critical to the user experience? If so, there’s a massive performance hit here.
There’s a lot of work to do on analysing third-party components but visualising who is on your site (and how they got there) is a good start!
Recent shares
-
![]( "Satoshi Nagano")
viewこんな素晴らしいツールがあったのね。simonhearne.com/2015/find-thir…
-
view
Third-party scripts on your site present a potentially dangerous side effect. We don’t know what additional assets third-party load. That has security and performance implications. This post will look at the performance side of the issue.
As Simon Hearne writes in How to Find the Third-Parties on Your Site using third party scripts that, in turn, make calls to additional sites and parties outside their (and your) control can affect the performance of your site. Quoting the post:
I ran the homepage through WebPageTest and sure enough, there were a bunch of calls to various subdomains of facebook.com. Thankfully WebPageTest stores initiator, referer and redirect headers; so with a little work, you can find out where these third-party calls come from. The director was correct, there were no calls to Facebook on their site. It was a third-party creating fourth-party calls to Facebook! This can have serious ramifications if Facebook (or any other third-party call) affects customer experience.
So why does this matter?
As Steve Souders (Frontend SPOF and Frontend SPOF survey), Pat Meenan (Testing for Frontend SPOF), and Joshua Bixby (How vulnerable is your site to third-party failure?) write, “fourth party” scripts (scripts called from third party code) can have adverse effects on your site’s performance. You (and potentially your client) have no way of controlling what these scripts do and whether they will block or slow down rendering.
In Things to Know (and Potential Dangers) with Third-Party Scripts, Yaphi Berhanu list additional concerns about third-party scripts that go beyond performance. The article is from 2017 still presents points that are still worth researching.
Testing
A very interesting to see the number of requests your third party scripts generate is to run your site through Request Map and see the results. I was surprised to see how many of its submodules a script requested in the layout-experiments site.
The images that follow present Request Map results for three different websites, two sites I own, and cnn.com.
For the CNN request map, note that the circles are smaller and the name of individual assets is impossible to read because of the number of assets involved.
Requet map for rivendellweb.net. Created from Request Map Generator
Requet map for layout-experiments.firebaseapp.com. Created from Request Map Generator
Requet map for CNN. Created from Request Map Generator<h2>Solving the issue</h2>In an ideal world, you’d be able to trust your third party scripts that they will do a minimum due diligence on their dependencies.
But in the real world, we don’t have that luxury. We use what we must and we hope that scripts that are loaded by our third-party scripts will not slow down our applications.
Tools like request map will not stop the spread of unknown and unwanted scripts but they will help when clients ask you where did that script comes from and when you go to the third party script providers and ask why are the additional assets being loaded.
