can third-party scripts take down your entire site?

Can Third-Party Scripts Take Down Your Entire Site?

Tammy Everts

O’Reilly Webcast – June 4, 2014

Conversions

Ad revenue

Page views

Visitor data

No need to re-invent the wheel

Quick and easy

Established

Support

Slide 2

Third-party calls can make up >50% of page requests.

Slide 3

Steve Souders: http://www.fastly.com/blog/steve-souders-webperf-web-components/

Slide 4

Slide 5

Slide 6

Third-party scripts present risks to your pages and to your users:

Outages

Slowdowns

Security (?)

Slide 7

Slide 8

Slide 9

Increase page weight

Increase number of hosts and connections

Introduce additional latency

Slide 10

Slide 11

832ms 1.788s 918ms

Wait… what the heck is a fourth-party call?

Slide 12

Slide 13

http://www.webperformancetoday.com/2011/07/14/fourth-party-calls-third-party-content/

Slide 14

1. Audit your third-party scripts.

• Identify all third-party scripts

• Know which pages they’re on

• Find out what performance best practices, if any, each script uses (e.g., deferral, async loading)

• Read the SLA for each provider (if they have one)

Slide 16

Slide 17

http://www.webpagetest.org

Slide 18

http://www.webperformancetoday.com/2014/03/18/waterfalls-101-how-to-use-a-waterfall-chart-to-diagnose-performance-pains/

Slide 19

Slide 20

Slide 21

2. Test for SPOFs.

The old, painful way:

http://www.webperformancetoday.com/2011/10/13/how-vulnerable-is-your-site-to-third-party-failure/

Slide 23

Slide 24

The new, better way:

https://chrome.google.com/webstore/search/spof-o-matic

Slide 25

Slide 26

Slide 27

Slide 28

SPOF: 22.7s

Original: 3.5s

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Original

SPOF

https://www.optimizely.com/security

Slide 34

Slide 35

Slide 36

Slide 37

Original

SPOF

Blackhole test results fall into one of three groups:

1. SPOF page loads SLOWER than original page Fix: Deferral or async script

2. SPOF page loads FASTER than original page Fix: Talk to provider about script hosting

3. SPOF page times out. Fix: Same as #1

Slide 38

3. Before you add a new script, research the provider.

• Response time and time to last byte

• RT and TTLB from multiple locations

• Average monthly downtime

• Do they use a CDN?

• If so, where are their caches located?

Slide 40

4. Read the provider’s service level agreement.

An ideal third-party SLA should:

• Express monthly annual uptime guarantee as a percentage (ideally, as close to 100% as possible)

• Explain how performance will be monitored and reported

• Describe the process for reimbursing site owners (if site owners are paying for the service provided by the script) if uptime drops below the SLA guarantee

Slide 42

5. Perform a cost-benefit analysis.

Slide 44

Slide 45

2-second slowdown = 14% conversion loss

But…

…if that same tool promises a 20% conversion increase, that = a net gain of 6%

Slide 46

6. Be ready to say no.

Slide 48

7. Defer scripts whenever possible.

Slide 50

Pro: It’s a relatively easy fix.

Con: It won’t work for all content.

Slide 51

Slide 52

8. Use asynchronous scripts.

Slide 54

Slide 55

Slide 56

Pro:

Doesn’t block primary content.

Cons:

Can be tricky to program.

Can mess up onLoad and make it difficult

to see other problems.

http://www.stevesouders.com/blog/2009/04/27/loading-scripts-without-blocking/

Slide 57

Slide 58

http://calendar.perfplanet.com/2011/the-art-and-craft-of-the-async-snippet/

9. Monitor constantly.

RUM/APM

Tag management systems

SPOF-o-matic

No excuses.

Slide 60

10. Give feedback to providers.

Slide 62

Slide 63

11. Know when to pull the plug.

Slide 65

Tammy Everts

tammye@radware.com

webperformancetoday.com

twitter.com/tameverts

Slide 66

Questions?