can third-party scripts take down your entire site?
TRANSCRIPT
Can Third-Party Scripts Take Down Your Entire Site?
Tammy Everts
O’Reilly Webcast – June 4, 2014
Conversions
Ad revenue
Page views
Visitor data
No need to re-invent the wheel
Quick and easy
Established
Support
Slide 2
Third-party calls can make up >50% of page requests.
Slide 3
Steve Souders: http://www.fastly.com/blog/steve-souders-webperf-web-components/
Slide 4
Slide 5
Slide 6
Third-party scripts present risks to your pages and to your users:
Outages
Slowdowns
Security (?)
Slide 7
Slide 8
Slide 9
Increase page weight
Increase number of hosts and connections
Introduce additional latency
Slide 10
Slide 11
832ms 1.788s 918ms
Wait… what the heck is a fourth-party call?
Slide 12
Slide 13
http://www.webperformancetoday.com/2011/07/14/fourth-party-calls-third-party-content/
Slide 14
1. Audit your third-party scripts.
• Identify all third-party scripts
• Know which pages they’re on
• Find out what performance best practices, if any, each script uses (e.g., deferral, async loading)
• Read the SLA for each provider (if they have one)
Slide 16
Slide 17
http://www.webpagetest.org
Slide 18
http://www.webperformancetoday.com/2014/03/18/waterfalls-101-how-to-use-a-waterfall-chart-to-diagnose-performance-pains/
Slide 19
Slide 20
Slide 21
2. Test for SPOFs.
The old, painful way:
http://www.webperformancetoday.com/2011/10/13/how-vulnerable-is-your-site-to-third-party-failure/
Slide 23
Slide 24
The new, better way:
https://chrome.google.com/webstore/search/spof-o-matic
Slide 25
Slide 26
Slide 27
Slide 28
SPOF: 22.7s
Original: 3.5s
Slide 29
Slide 30
Slide 31
Slide 32
Slide 33
Original
SPOF
https://www.optimizely.com/security
Slide 34
Slide 35
Slide 36
Slide 37
Original
SPOF
Blackhole test results fall into one of three groups:
1. SPOF page loads SLOWER than original page Fix: Deferral or async script
2. SPOF page loads FASTER than original page Fix: Talk to provider about script hosting
3. SPOF page times out. Fix: Same as #1
Slide 38
3. Before you add a new script, research the provider.
• Response time and time to last byte
• RT and TTLB from multiple locations
• Average monthly downtime
• Do they use a CDN?
• If so, where are their caches located?
Slide 40
4. Read the provider’s service level agreement.
An ideal third-party SLA should:
• Express monthly annual uptime guarantee as a percentage (ideally, as close to 100% as possible)
• Explain how performance will be monitored and reported
• Describe the process for reimbursing site owners (if site owners are paying for the service provided by the script) if uptime drops below the SLA guarantee
Slide 42
5. Perform a cost-benefit analysis.
Slide 44
Slide 45
2-second slowdown = 14% conversion loss
But…
…if that same tool promises a 20% conversion increase, that = a net gain of 6%
Slide 46
6. Be ready to say no.
Slide 48
7. Defer scripts whenever possible.
Slide 50
Pro: It’s a relatively easy fix.
Con: It won’t work for all content.
Slide 51
Slide 52
8. Use asynchronous scripts.
Slide 54
Slide 55
Slide 56
Pro:
Doesn’t block primary content.
Cons:
Can be tricky to program.
Can mess up onLoad and make it difficult
to see other problems.
http://www.stevesouders.com/blog/2009/04/27/loading-scripts-without-blocking/
Slide 57
Slide 58
http://calendar.perfplanet.com/2011/the-art-and-craft-of-the-async-snippet/
9. Monitor constantly.
RUM/APM
Tag management systems
SPOF-o-matic
No excuses.
Slide 60
10. Give feedback to providers.
Slide 62
Slide 63
11. Know when to pull the plug.
Slide 65
Tammy Everts
webperformancetoday.com
twitter.com/tameverts
Slide 66
Questions?