Third-Party Content
The weak link in your chain?
Simon Hearne - Web Performance Consultant
#perfmatters conf 2018
AKA
Bad people
doing horrible things
to good sites
The modern web workflow 101
make something ๐ค
test it ๐
ship it ๐
...
put tags on it ๐ณ
AMP got something right ๐
What i've learned in 5 years
we seem to have less control than ever
The "business" ๐ฉโโ๏ธ
Tags serve business goals
- Measurement & Analytics
- Ads & Retargeting
- "Optimization" & Testing
- Comments & Live Chat
- Tag Management
The money ๐ต
โWe know that Optimizely slows down the site, but it will get us $750k increased revenue this yearโ
Holiday website, UK
The it's not my job ๐คทโ
โWe suspect it slows the site down, we havenโt tested it. Marketing says itโs critical to their latest TV campaign so thereโs no point arguingโ
Budget airline, UK
The tag manager ๐ด
โAll the tags go through the tag manager, so they should be fine.โ
Clicks-and-mortar store, UK
but what about the
Risk?
๐ฒ
PS: Availability Heuristic 101 ๐ค
PS: Availability Heuristic 101 ๐ค
- Remember when Facebook went down?
- Remember when Disqus went down?
- Remember when Maxymiser went down?
- Remember when Dyn went down?
- left-pad ๐
Risk 1:
Malicious code injection ๐น
How much of your code has vulnerabilities?
CryptoJacking
It happens to the biggest players
Internet 'Service' Providers
blog.ryankearney.com/2013/01/comcast-caught-intercepting-and-altering-your-web-traffic/
Content Delivery Networks
Content Delivery Networks
Unintentional data collection
website tracking is a "security disaster waiting to happen"
Risk 2:
Availability ๐
Do they fail gracefully?
๐
Do they fail gracefully?
๐
Are they using a CDN?
(& is it as good as yours?)
What is their SLA for availability?
(& is it as good as yours?)
help.optimizely.com/Account_Settings/Optimizely_support_plans
Availability to the user
- Government / geo blocking
- Ad blocking
- Tracker blocking
- Random crap
Risk 3:
Code Quality ๐
XSS Vulnerabilites
XSS Vulnerabilites
document.write("<div
class='vdb_player vdb_565ec775e4b092ebc9685ce853180f5de4b066208a63279a'
vdb_params='m.pub_id=606413&m.url=http://nypost.com/#1' - alert(1) - '-alert(1)-'>
</div>");
Different release schedules
<script src="//s7.addthis.com/addthis_widget.js" async></script>
How do you know when it changes?
Just plain thoughtless
discuss.newrelic.com/t/do-not-clear-the-resource-timing-buffer/
Risk 4:
Performance ๐
Self-policing isn't good enough
... the X Web Reference Snippet was available ... and the download time over HTTP did not exceed 500 ms.
Snippet is sampled every minute from a variety of U.S. locations.
status.optimizely.com
Tools aren't equal
orangevalley.nl/en/blog/9-ab-testing-tools-compared-on-site-speed-impact/
The web is variable
Top 250 resources from HTTP Archive
The web is variable
Top 250 resources from Akamai mPulse
Resource Timing is the hero we need
https://www.w3.org/TR/resource-timing-1/
Resource Timing is the hero we need
not without Timing-Allow-Origin ๐
nicj.net/resourcetiming-visibility-third-party-scripts-ads-and-page-weight/
Resource Timing won't save us
๐ no redirect information
๐ limited data on 72% of third-party content
๐ only the first 150 requests *
๐ no data on old iDevices
๐ no data for cross-origin iframes
developer.akamai.com/blog/2017/07/26/measuring-performance-third-party-contributors/
* limit can be increased per pageview
Risk 4:
Performance ๐
(for real this time)
CPU is our biggest bottleneck โณ
Who's policing the third-parties?
Variable CPU time
on synthetic agents!
The most frustrating perf bug, ever
Who watches the watchmen?
calendar.perfplanet.com/2017/an-audit-of-boomerangs-performance/
Risk 4:
Performance ๐
(part III)
delaying onload
keeping the radio awake
We have little control
over which are used
But there are things we can do...
Stage 1:
Find out what's there
Synthetic Testing (webpagetest)
Synthetic Testing (webpagetest)
Bonus: Third-party categorization
github.com/simonhearne/thirdpartydb | thirdpartydb.appspot.com
Real User Monitoring ๐ฅ
Akamai mPulse
Stage 2:
Determine the impact
Synthetic Testing (webpagetest)
Synthetic Testing (made easy)
Synthetic Testing (made easy)
Resource Impact from Synthetics ๐ค
blog.catchpoint.com/2018/01/10/using-catchpoint-to-analyze-third-party-impact/
Resource Impact from Synthetics ๐ค
speedcurve.com/blog/ux-focus-for-waterfalls-and-third-parties/
Resource Impact from RUM
Advertising Partners
Partner 1 = ~400ms slower than partner 2
Migrating all ads = 220ms faster page load
Additional revenue ~= $12,000 per month
Large US publishing company
LongTasks API
Bonus: determine the value!
"Everything should have a value,
because everything has a cost"
Tim Kadlec - freelance #webperf god
Stage 3:
Measure them and Report on them
Content Security Policy ๐ฎโ
(report-only)
{
"csp-report": {
"document-uri": "https://yourwebsite.com/",
"referrer": "",
"violated-directive": "style-src",
"effective-directive": "style-src",
"original-policy": "",
"disposition": "enforce",
"blocked-uri": "inline",
"line-number": 4,
"column-number": 3,
"source-file": "https://static.hotjar.com/c/hotjar-730716.js?sv=6",
"status-code": 0,
"script-sample": ""
}
}Synthetic Testing ๐ค
blog.catchpoint.com/2018/01/10/using-catchpoint-to-analyze-third-party-impact/
RUM ๐ฅ
The
best way to monitor resources,
even with its limitations
๐ฅ Waterfalls
Akamai mPulse
Stage 4:
Defend ourselves ๐คผโ
Content Security Policy ๐ฎโ๏ธ
Content Security Policy ๐ฎโ๏ธ
CSP Strict-Dynamic
Content Security Policy ๐ฎโ๏ธ
๐ CryptoJacking
๐ XSS
๐ Maintenance
Sub-resource Integrity ๐
<link
rel="stylesheet"
href="//maxcdn.bootstrapcdn.com/.../bootstrap.min.css"
integrity="
sha256-8EtRe6XWoFEEhWiaPkLaw...=
sha512-/5KWJw2mvMO2ZM5fndVxU...=
"
crossorigin="anonymous">
<script
src="//ajax.googleapis.com/.../jquery.min.js"
integrity="
sha256-ivk71nXhz9nsyFDoYoGf2...=
sha512-7aMbXH03HUs6zO1R+pLye...=
"
crossorigin="anonymous"></script>
Sub-resource Integrity ๐
๐ Malicious Code
๐ Untested Changes
๐ Maintenance
โญ๏ธ Signature-based Restrictions...*
Service Worker ๐ช
function timeout(delay) {
return new Promise(function(resolve, reject) {
setTimeout(function(){
resolve(new Response('', {
status: 408,
statusText: 'Request timed out.'
}));
}, delay);
});
}
self.addEventListener('fetch', function(event) {
// Only fetch JavaScript files for now
if (/\.js$/.test(event.request.url)) {
event.respondWith(Promise.race([timeout(2000), fetch(event.request.url)]));
} else {
event.respondWith(fetch(event.request));
}
});
calendar.perfplanet.com/2015/reducing-single-point-of-failure-using-service-workers/
Service Worker ๐ช
๐ CDN / Network outages
๐ Not on first pageview
๐ Maintenance
๐ You can break your site
Self-hosting / Proxying โ๏ธ
Self-hosting / Proxying โ๏ธ
Self-hosting / Proxying โ๏ธ
Self-hosting / Proxying โ๏ธ
๐ CDN / Network outages
๐ Shared TCP connection
๐ Maintenance
Stage 5:
Have a third-party policy ๐ผ
- What does it do?
- Who uses it?
- Whatโs the risk to the site?
- How do you remove it?
Share with other teams! ๐ฃ
Third-party content may be a weak link
But it's here to stay
Five things you can do today:
- Know what's there
- Measure them
- Have a solid defense
- Share the data
- Have third-party policy
Further reading
Thank you,
good luck!
๐ดโ @SimonHearne
๐ webperf.ninja/tools
๐ฅ simonhearne.github.io/weak-links
@SimonHearne