Chaperones and curfews – We Love Speed 2019

Transcript

1. Chaperones and curfews Minimising 3rd party impact Photo by Spenser

   on Unsplash

2. Who am I? Ryan Townsend @ryantownsend

3. None
4. None

5. • What are third parties? • Why are they problematic?

   • Why use them at all? • What can I do to mitigate against their impact?

6. What are third parties?

7. Any infrastructure or service on a separate origin that you

   don’t control

8. Why are third parties a problem?

9. Rewind back to Velocity 2011…

10. None
11. None

12. The web lived happily ever after.

13. Except it didn’t.

14. • Social media buttons • Tag managers • Ads •

    A/B testing tools • Personalisation • Analytics & Event Capture • Independent Customer Reviews • Retargeting • Affiliate trackers • Live chat • Hosted webfonts • Comment platforms • Videos • Developer Utilities

15. Source: Steve Souders / HTTP Archive

16. Source: Yottaa Average # of 3rd Parties (eComm) 2015 2016

    2017 2018 85 60 37 15

17. “Can I bring a +1?”

18. requestmap.webperf.tools

19. But it’s not just the volume…

20. “There is zero performance overhead to using our synchronous script

    […] our typical response time is around 200ms” – Popular Third Party Provider

21. Source: Steve Souders / HTTP Archive

22. And it’s not just the network…

23. Continual JavaScript execution 1 second

24. “Third party script execution is the majority chunk of the

    web today” – Patrick Hulce, Lighthouse

25. The average execution time per third-party is 225ms

26. 85 third-parties x 225ms = 19s

27. It’s not even just the visitors who are affected…

28. • Inaccurate development & QA experience • Unable to perform

    commit/build-time linting • Governance processes in the hands of the 3rd party

29. Why use third parties?

30. None
31. None
32. None

33. • You can’t build it all yourself • You shouldn’t

    build it all yourself • You’re hacking around technical limitations • You’re hacking around organisational limitations

34. So, what can we do?

35. Identify your third parties

36. requestmap.webperf.tools

37. Long-running JavaScript Large payloads webpagetest.org/easy

38. None

39. • It’s My (Third) Party and I’ll Cry If I

    Want To
 Harry Roberts (@csswizardry) • AB Testing, Ads & Other 3rd Party Tags
 Andy Davies (@andydavies) • Performance Audit (Live)
 Tim Kadlec (@tkadlec) • Raiders of the Fast Start
 Katie Sylor-Miller (@ksylor)

40. Consider your loading strategy

41. 1. Where/when do you need to load it?

42. Can you load it on user behaviour?

43. Load reviews on user action -8s blocking JavaScript execution

44. 2. How critical is it?

45. Progressive enhancement isn’t just for first-party JavaScript

46. 3. Do we need ALL of it?

47. None

48. • Check for GZIP/Brotli compression • Subset fonts • Centralise

    data capture (e.g. Segment) • Disable loading libraries

49. You can’t all bring jQuery as your +1!

50. Check for image transformation

51. Avoid tech debt

52. Optimise your 3rd party scripts

53. A/B test implementation +20s JavaScript execution

54. 4. Can you load it asynchronously or defer it?

55. None

56. “But what about the flicker!?”

57. Curfew

58. font-display: fallback

59. Implement this one NASTY trick… you’ll never believe what happened

    next
60. None
61. None
62. None

63. <head> <script> function showBody() { document.body.style.display = 'block'; } setTimeout(showBody,

    3000) </script> <script src="https://myadprovider.com/" onload="showBody()" onerror="showBody()" importance="high" async> </script> </head> <body style="display:none"> ... </body> when the script loads/fails: show the body hide the whole body after 3 seconds: show the body regardless
64. None

65. function timeout(delay){ return new Promise(function(resolve, reject) { setTimeout(function() { resolve(new

    Response('', { status: 408, statusText: 'Request timed out.' })) }, delay) }) } self.addEventListener('fetch', function(event) { // if the request is not for example.com, serve requests normally if (!event.request.url.includes('example.com')) { return } return event.respondWith(caches.match(event.request).then(function(response) { return response || Promise.race([ timeout(2000), fetch(event.request) ]) })) }) attempt the request force a 2-second timeout service-worker-timeout.twnsnd.com

66. 5. Can you self-host the resources?

67. • No DNS lookup • No connection setup • No

    SSL negotiation • “Better” HTTP/2 prioritisation • You can fingerprint and use far-future expiry • Plays nicer with Content-Security-Policies *

68. What about changes?

69. None

70. Dual-phase loading

71. https://medium.com/caspertechteam/we-shaved-1-7-seconds-off-casper-com-by-self-hosting-optimizely-2704bcbff8ec

72. https://medium.com/caspertechteam/we-shaved-1-7-seconds-off-casper-com-by-self-hosting-optimizely-2704bcbff8ec

73. 6. Can we preconnect or preload?

74. • DNS Prefetch • Preconnect • Preload • Prefetch •

    Prerender (Nostate Prefetch) Check out: Harry Roberts – More Than You Ever Wanted To Know About Resource Hints
75. None

76. Choose your friends

77. None
78. None

79. The Windows 95 launch really got out of hand

80. None

81. Protect your site from 3rd parties

82. None

83. Kill Switch

84. Feature-Policy

85. sync-xhr, document-write, legacy-image-formats, max-downscaling-image, unsized-media, image-compression, font-display-late-swap, lazyload, unoptimized-images

86. Protect your site from your company

87. Tag Managers

88. It’s all our fault

89. • Embed manually and maintain a clear release runway •

    Migrate long-term scripts to core site • Server-side tag management

90. TWO TAG MANAGERS?

91. None
92. None

93. Remember you have leverage

94. Everybody wins…

95. “Huge props to WordAds for reducing their impact from ~2.5s

    to ~200ms on average!” – Patrick Hulce, Lighthouse

96. 32,000 sites benefitted.

97. • You don’t make friends taking toys away • Understand

    really how your third parties are used • Work with what you’ve got and optimise • Assume third parties will burn you • Protect yourself • Work with them for the better of the whole web

98. Thank you! Ryan Townsend CTO, SHIFT – @ryantownsend twnsnd.com/welovespeed