WIP: 2020 Third Parties Chapter #1668
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tunetheweb
reviewed
Dec 8, 2020
src/content/en/2020/third-parties.md
Outdated
|
|
||
| <p id="gdcalert10" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image10.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert11">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p> | ||
|
|
||
|  |
There was a problem hiding this comment.
@simonhearne If you change these WIP items to Jinja2 comments then it won't fail the pipeline and so will give you real feedback on any real issues:
Suggested change
|  | |
| {#  #} |
|
Thanks, yes I'll be adding the images and fixing those shortly.
…On Tue, 8 Dec 2020, 12:14 Barry Pollard, ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In src/content/en/2020/third-parties.md
<#1668 (comment)>
:
> +
+<p id="gdcalert9" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image9.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert10">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>
+
+
+
+The results show that the majority of 3XX responses are small: the 90th percentile is 420B (i.e. 90% of 3XX responses are 420 bytes or smaller). The 95th percentile is 6.5kB and the 99th is 36kB! Whilst redirects may seem innocuous, 36kB is a reasonable amount of bytes over the wire for a response that simply leads to another response!
+
+## Early-loaders
+
+Scripts that load late in the page will have an impact on total page load duration and page weight, but might have no impact on the user experience. Scripts that load early in the page, however, will potentially cannibalize bandwidth for critical first-party resources and are more likely to interfere with the page load. This can have a detrimental impact on performance metrics and user experience.
+
+The chart below shows the percentage of requests that load early, by device type and third-party type. The three stand-out categories are CDN, Hosting and Tag Managers, all of which tend to deliver JavaScript that is requested in the head of a document.
+
+<p id="gdcalert10" ><span style="color: red; font-weight: bold">>>>>> gd2md-html alert: inline image link here (to images/image10.png). Store image on your image server and adjust path/filename/extension if necessary. </span><br>(<a href="#">Back to top</a>)(<a href="#gdcalert11">Next alert</a>)<br><span style="color: red; font-weight: bold">>>>>> </span></p>
+
+
@simonhearne <https://github.com/simonhearne> If you change these to
Jinja2 comments then it won't fail the pipeline and so will give you real
feedback on any real issues:
⬇️ Suggested change
-
+{#  #}
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1668 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADZEPMVJPAUGVPUWSR7IYDSTYKBNANCNFSM4UR3XLRA>
.
|
rviscomi
requested changes
Dec 8, 2020
Comment on lines
8
to
9
| reviewers: [tammyeverts, jzyang] | ||
| analysts: [max-ostapenko] |
There was a problem hiding this comment.
Also update contributor metadata when you get a chance. List everyone who contributed, remove those that didn't, and order roughly by significance of their contributions (as a courtesy to those that did more)
paulcalvano
requested changes
Dec 9, 2020
There was a problem hiding this comment.
Nice work @simonhearne. This is excellent. I added a few comments/suggestions in this review.
| ### Caveats | ||
|
|
||
| * All data presented here is based on a non-interactive, cold load. These values could start to look quite different after user interaction. | ||
| * The pages are tested with no cookies set, so third-parties requested after opt-in are not included. This will especially affect pages hosted and predominantly served to countries in scope for the [General Data Protection Regulation](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation). |
There was a problem hiding this comment.
In the context of GDPR, it may also be important to mention that all of these measurements were performed on servers in the US.
Also worth including a link to the methodolgy - https://almanac.httparchive.org/en/2020/methodology
|
|
||
| The sixth most common domain is digicert.com. Calls to digicert.com are generally OCSP revocation checks due to TLS certificates not having OCSP stapling enabled, or the use of Extended Validation (EV) certificates which prevent pinning of intermediate certificates. This number is exaggerated in HTTP Archive due to all page loads being effectively first-time visitors - OCSP responses are generally valid for seven days in real-world browsing. See [this blog post](https://simonhearne.com/2020/drop-ev-certs/) to read more on this issue. | ||
|
|
||
| Further down the list at 2.43% is ajax.googleapis.com, Google's [Hosted Libraries project](https://developers.google.com/speed/libraries). Whilst loading a library such as jQuery from a hosted service is easy, the additional cost of a connection to a third-party domain may have a negative impact on performance. It is best to host all critical JavaScript and CSS on the root domain, if possible. There is also now no cache benefit to using a shared CDN resource, as all major browsers [partition caches by page](https://developers.google.com/web/updates/2020/10/http-cache-partitioning). |
There was a problem hiding this comment.
Harry Roberts wrote an excellent blog post about self hosting static assets last year, which may be worth linking to here. https://csswizardry.com/2019/05/self-host-your-static-assets/
| ) | ||
| }} | ||
|
|
||
| The results show that the majority of 3XX responses are small: the 90th percentile is 420B, i.e. 90% of 3XX responses are 420 bytes or smaller. The 95th percentile is 6.5kB, the 99th is 36kB and the 99.9th is over 100kB! Whilst redirects may seem innocuous, 100kB is a reasonable amount of bytes over the wire for a response that simply leads to another response. |
There was a problem hiding this comment.
Suggested change
| The results show that the majority of 3XX responses are small: the 90th percentile is 420B, i.e. 90% of 3XX responses are 420 bytes or smaller. The 95th percentile is 6.5kB, the 99th is 36kB and the 99.9th is over 100kB! Whilst redirects may seem innocuous, 100kB is a reasonable amount of bytes over the wire for a response that simply leads to another response. | |
| The results show that the majority of 3XX responses are small: the 90th percentile is 420B, i.e. 90% of 3XX responses are 420 bytes or smaller. The 95th percentile is 6.5kB, the 99th is 36kB and the 99.9th is over 100kB! Whilst redirects may seem innocuous, 100kB is an unreasonable amount of bytes over the wire for a response that simply leads to another response. |
|
|
||
| ## Repercussions | ||
|
|
||
| We know that adding arbitrary JavaScript to our sites introduces risks to both site speed and security. Site owners must be diligent to balance the value of the third-party scripts they include with the speed penalty they may bring, and use modern features such as [subresource integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) and [content security policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to maintain a strong security posture. |
There was a problem hiding this comment.
Might be worth referencing the security chapter here, since that should cover both SRI and CSP adoption.
|
Merging and iterating Paul's feedback can be resolved in a follow-up PR |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Progress on #901