A presentation at Akamai DPM Meetup in in London, UK by Simon Hearne
PART Y C O N T E N T T H E W E AK L IN K IN YO U R C H AIN ? T H E W E AK L IN K IN YO U R C H AIN ? S i m o n
H e a rn e
P ri n c i p l e
E n g i n e e r
@
A k a m a i @ S i m o n H e a r n e
T H E M O D E R N W E B W O R K F L O W 10 1 T H E M O D E R N W E B W O R K F L O W 10 1 m a k e
s om e t hin g
� t e s t
it
� s hip
it
� . . . p ut
t a g s
on it
� @ S i m o n H e a r n e
W H A T I' V E L E AR N E D IN
5 YE AR S W H A T I' V E L E AR N E D IN
5 YE AR S w e
s e e m
t o ha v e
le s s
c ont r o l t h a n
e v e r &
t he r e
a r e
i n c r e a s i n g l y
m or e
p a r t y
p r o v id e r s @ S i m o n H e a r n e
H O W I T H IN K I C AN H E L P YO U H O W I T H IN K I C AN H E L P YO U 1 .
U nd e r s t a nd
t he
r is k
t h e y
p o s e 2 .
D is c o v e r
&
id e n t if y
p a r t y
t a g s 3 .
H ow
t o m onit or
&
a n d
m e a s u r e
t a g s 4 .
Building
a
b usine s s
c a s e
f o r
t a g s @ S i m o n H e a r n e
@ S i m o n H e a r n e T AGS SERVE BUSINESS GOALS T AGS SERVE BUSINESS GOALS Me a s ur e m e nt
&
An a ly t ic s Ad s
&
R e t a r g e t in g " O p t im iz a t ion "
&
T e s t in g Com m e nt s
&
L i v e
C h a t T a g
Ma na g e m e nt
@ S i m o n H e a r n e BUT WHA T ABOUT THE BUT WHA T ABOUT THE R ISK? R ISK? � �
@ S i m o n H e a r n e RISK 1: RISK 1: C O D E Q U AL IT Y � C O D E Q U AL IT Y �
@ S i m o n H e a r n e 78.7% o f
to p
5 0 0 k
si te s
i n c l u d e
J S
w i th
k n o w n
v u l n e r a b i l i ti e s beta .h ttp arc h iv e.o rg /r e p o rts /s ta te -o f- t h e-w eb # pctV uln
@ S i m o n H e a r n e CRYPTOJACKING CRYPTOJACKING
www.t h eve rg e .c o m /2 018/3 /2 2/1 7147320/c ry p to ja ck in g-8 500-p erc e n ta g e -p o in ts -b it co in -m onero -s p ik e- sy m an te c-s e cu rit y-m ining
@ S i m o n H e a r n e IT HAPPENS TO THE BIGGEST PL A YERS IT HAPPENS TO THE BIGGEST PL A YERS
tw itte r.c o m /n ytim es/s ta tu s/3 95 8547840
@ S i m o n H e a r n e UNINTENTIONAL DA T A COLLECTION UNINTENTIONAL DA T A COLLECTION we b s i t e
t r a c k i n g
i s
a
" s e c u r i t y
d i s a s t e r
wai t i n g
t o
h a p p e n "
fr e ed om -t o -t in ke r.c o m /2 018/0 2/2 6/n o -b ound arie s-fo r-c re d en tia ls-p assw ord -le ak s-t o -m ixpan el- an d -s e ssio n- re p la y-c o m pan ie s/
@ S i m o n H e a r n e XSS VULNERABILITES XSS VULNERABILITES
ra n d yw este rg re n .c o m /w id esp re ad -x ss-v u ln era b ilit ies/
@ S i m o n H e a r n e DIFFERENT RELE A SE SCHEDULES DIFFERENT RELE A SE SCHEDULES H o w
d o
y o u
k n o w
w h e n
i t
c h a n g e s ?
< script
"//s7.addthis.com/addthis_widget.js"
async
</ script
www.a d dth is .c o m
@ S i m o n H e a r n e JUST PL AIN THOUGHTLESS JUST PL AIN THOUGHTLESS
dis cu ss.n ew re lic .c o m /t /d o-n ot-c le ar-t h e-r e so urc e -t im ing-b uffe r/
@ S i m o n H e a r n e C O D E Q U AL IT Y � C O D E Q U AL IT Y � H ow
d o t he y
p r o t e c t
t h e m s e lv e s ? H ow
d o t he y
p r o t e c t
y o u r
c u s t o m e r s ?
@ S i m o n H e a r n e RISK 2: RISK 2: A V AIL ABILITY � A V AIL ABILITY �
@ S i m o n H e a r n e A VAIL ABILITY = USER A VAIL ABILITY A VAIL ABILITY = USER A VAIL ABILITY G o v e r nm e nt
/
I S P
in t e r f e r e n c e Cont e nt
b lock in g
(~ 1 0 %
o f
u s e r s *) R a nd om
is s ue s
(1 %
o f
J S
f a ils
t o
lo a d *)
@ S i m o n H e a r n e DO THEY FAIL GRACEFULL Y? DO THEY FAIL GRACEFULL Y? � 0:00 / 0:06
@ S i m o n H e a r n e DO THEY FAIL GRACEFULL Y? DO THEY FAIL GRACEFULL Y? 0:00 / 0:08
@ S i m o n H e a r n e DO THEY FAIL GRACEFULL Y? DO THEY FAIL GRACEFULL Y? � 0:00 / 0:08
@ S i m o n H e a r n e ARE THEY USING A CDN? ARE THEY USING A CDN? (& IS IT A S GOOD A S YOURS?) (& IS IT A S GOOD A S YOURS?)
@ S i m o n H e a r n e WHA T IS THEIR SL A FOR A VAIL ABILITY? WHA T IS THEIR SL A FOR A VAIL ABILITY? (& IS IT A S GOOD A S YOURS?) (& IS IT A S GOOD A S YOURS?)
Optim izely s u ppo rt p la ns
@ S i m o n H e a r n e A V AIL ABILITY � A V AIL ABILITY � W ha t
ha p p e ns w h e n
t h e y
f a il? H ow
of t e n c ould t h e y
f a il?
@ S i m o n H e a r n e RISK 3: RISK 3: PE R F O R M AN C E
� PE R F O R M AN C E
�
@ S i m o n H e a r n e SELF-POLICING ISN'T GOOD ENOUGH SELF-POLICING ISN'T GOOD ENOUGH
sta tu s.o ptim izely .c o m
@ S i m o n H e a r n e TOOLS AREN'T EQUAL TOOLS AREN'T EQUAL
ora n gevalle y.n l/en /b lo g/9 -a b -t e stin g-t o ols -c o m pare d -o n -s it e-s p eed -im pact/
@ S i m o n H e a r n e RESOURCE TIMING IS THE HERO WE NEED RESOURCE TIMING IS THE HERO WE NEED
http s:/ /w ww.w 3.o rg /TR /r e so urc e -ti m in g-1 /
@ S i m o n H e a r n e RESOURCE TIMING IS THE HERO WE NEED RESOURCE TIMING IS THE HERO WE NEED NO T WITHOUT TIMING-ALLOW-ORIGIN � NO T WITHOUT TIMING-ALLOW-ORIGIN �
nic j.n et/ re so urc eti m in g-v is ib ility -th ir d -p arty -s c rip ts -a d s-a n d -p ag e -w eig h t/
@ S i m o n H e a r n e CPU IS OUR BIGGEST BO T TLENECK ⏳ CPU IS OUR BIGGEST BO T TLENECK ⏳
@ S i m o n H e a r n e THE MOST FRUSTRA TING PERF BUG, EVER THE MOST FRUSTRA TING PERF BUG, EVER
@ S i m o n H e a r n e DEVICES ARE NO T AFFECTED EQUALL Y DEVICES ARE NO T AFFECTED EQUALL Y
Fast F ash io n… H ow M is sg u id ed r e vo lu ti onis e d th eir a p pro ach t o s it e p erfo rm an ce
@ S i m o n H e a r n e DEVICES ARE NO T AFFECTED EQUALL Y DEVICES ARE NO T AFFECTED EQUALL Y
Fast F ash io n… H ow M is sg u id ed r e vo lu ti onis e d th eir a p pro ach t o s it e p erfo rm an ce
@ S i m o n H e a r n e PE R F O R M AN C E
� PE R F O R M AN C E
� D oe s
t he ir
p e r f o r m a n c e
a f f e c t
y o u r s ? D o t he y
le t
y ou
m e a s u r e
t h e m ?
AC T IO N S T O T AK E AC T IO N S T O T AK E D i s c o v e r y I m p a c t R e p o r t i n g C o d e
Q u a l i t y A v a i l a b i l i t y D a t a
L e a k a g e P e r f o r m a n c e R e m o v a l
� • • • ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ @ S i m o n H e a r n e
@ S i m o n H e a r n e ST AGE 1: ST AGE 1: F IN D O U T W H A T ' S T H E R E
� F IN D O U T W H A T ' S T H E R E
�
Req uestM ap
@ S i m o n H e a r n e SYNTHETIC TESTING SYNTHETIC TESTING
@ S i m o n H e a r n e SYNTHETIC TESTING (WEBPAGETEST) SYNTHETIC TESTING (WEBPAGETEST)
@ S i m o n H e a r n e
@ S i m o n H e a r n e C O N D U C T IN G AN AU D IT C O N D U C T IN G AN AU D IT
Id en ti fy in g, A ud iti ng, a n d D is c u ssin g T hir d P arti es - C SS W iz a rd ry
@ S i m o n H e a r n e RE AL USER MONITORING � RE AL USER MONITORING �
@ S i m o n H e a r n e RE AL USER MONITORING � RE AL USER MONITORING �
@ S i m o n H e a r n e 32,909 20,83 Sum of FREQ Checkout MyInfo MyW allet NULL Product Detail Page Shopping cart ShoppingBag Y es2Y ou checkout checkoutshipping d-registry departments directCheckout discounts dsign-in homepage kohlscharge kohlsgrw_home more like this myaccount myaccount_orderDetail orderHistory password reset product matrix purchase-history read_review sale event landing search search results shoppingBag store locator wedding-registry wishlist P AGEGROUPNAME 6249496.collect.igodigital.com ace.advertising.com ad.doubleclick.net ad.tagdelivery .com adnxs.com adserver-us.adtech.advertising.com adservice.google.com ajax.googleapis.com akam analytics-static.ugc.bazaarvoice.com analytics.twitter .com api api.bazaarvoice.com apps.nexus.bazaarvoice.com apps.zineone.com aps.googleapis.com as-sec.casalemedia.com assets.pinterest.com asterpass.com atch.adsrvr .org atpixelus.alephd.com b.hlserve.com beacon-us-iad2.rubiconproject.com beacon.krxd.net c.evidon.com catalog cdn.ampproject.org cdn.doubleverify .com cdn.rlcdn.com cdn.tagdelivery .com cdn.truefitcorp.com cdnjs.cloudflare.com cdns.brsrvr .com chart.googleapis.com checkout cm.everesttech.net common-rev-dba820b639138b2af1f7.js connect.facebook.net consumer .truefitcorp.com content css ct.pinterest.com curations-static.feedmagnet.com curations.bazaarvoice.com d.doubleclick.net d.impactradius-event.com d.tagdelivery .com d2p4r375zfkzm8.cloudfront.net d3t1dw6evd1rv7.cloudfront.net db2c8u89pdczb.cloudfront.net device.4seeresults.com dnisjsqid2b9p.cloudfront.net dpm.demdex.net ds-aksb-a.akamaihd.net dserver-us.adtech.advertising.com dservice.google.com eus.rubiconproject.com fastlane.rubiconproject.com fw .adsafeprotected.com gampad googleads.g.doubleclick.net googleads4.g.doubleclick.net googleapis.com gpt gum.criteo.com i.w55c.net iad-usadmm.dotomi.com ing-district.clicktale.net js-sec.indexww .com koh-cdns.truefitcorp.com lax1-ib.adnxs.com log.pinterest.com maps.googleapis.com maps.gstatic.com masterpass.com match.adsrvr .org media.richrelevance.com nav-overlay-gift-test-large-1 network.bazaarvoice.com nike-20180606 norelco-o-20180531-LG-promo nova.collect.igodigital.com nym1-ib.adnxs.com pagead2.googlesyndication.com pi.bazaarvoice.com pippio.com pmp_m_ratings.png pps.nexus.bazaarvoice.com pps.zineone.com quantcast584928381.s.moatpixel.com recs.richrelevance.com res.tdxio.com rp.liadm.com rtb0.doubleverify .com s-usweb.dotomi.com s.acexedge.com s.btstatic.com s.thebrighttag.com s.yimg.com s0.2mdn.net sb.scorecardresearch.com sc-static.net secure-ds.serving-sys.com secure.ace.advertising.com secure.adnxs.com secure.checkout.visa.com secure.uac.advertising.com securepubads.g.doubleclick.net servedby .flashtalking.com sjc-usadmm.dotomi.com social.skavaone.com sp.analytics.yahoo.com ssl.google-analytics.com sslwidget.criteo.com stags.bluekai.com static.ads-twitter .com static.cmptch.com static.criteo.net static.curations.bazaarvoice.com static.masterpass.com staticxx.facebook.com stats.g.doubleclick.net t.co tagdelivery .com tic.criteo.net tic.curations.bazaarvoice.com tpc.googlesyndication.com triad-d.openx.net truefitcorp.com us-u.openx.net www .bkrtx.com www .facebook.com www .google-analytics.com www .google.com www .googletagservices.com www .gstatic.com www .hlserve.com www .masterpass.com z.moatads.com HOST
@ S i m o n H e a r n e ST AGE 2: ST AGE 2: D E T E R M IN E T H E IM PAC T
� D E T E R M IN E T H E IM PAC T
�
@ S i m o n H e a r n e SYNTHETIC TESTING (WEBPAGETEST) SYNTHETIC TESTING (WEBPAGETEST)
@ S i m o n H e a r n e SYNTHETIC TESTING (WEBPAGETEST) SYNTHETIC TESTING (WEBPAGETEST)
@ S i m o n H e a r n e SYNTHETIC TESTING (WEBPAGETEST) SYNTHETIC TESTING (WEBPAGETEST)
@ S i m o n H e a r n e RESOURCE IMPACT FROM RUM RESOURCE IMPACT FROM RUM
@ S i m o n H e a r n e ADVERTISING PARTNERS ADVERTISING PARTNERS P a r t ne r
1
=
~ 4 0 0 m s
s l o we r
t ha n p a r t ne r
2 Mig r a t ing
a ll a d s
=
~ 1 0 0 m s
f a s t e r
p a g e
loa d Ad d it iona l r e v e n u e
$ 8 ,000 p e r
m o n t h Larg e U S p u b lis h in g c o m pan y
@ S i m o n H e a r n e " E v e ry t h i n g
s h o u l d
h a v e
a
v a l u e , b e c a u s e
e v e ry t h i n g
h a s
a
c o s t " Tim K ad le c
@ S i m o n H e a r n e ST AGE 3: ST AGE 3: M E A S U R E T H E M AN D R E PO R T O N T H E M
� M E A S U R E T H E M AN D R E PO R T O N T H E M
�
@ S i m o n H e a r n e CONTENT SECURITY POLICY � CONTENT SECURITY POLICY �
@ S i m o n H e a r n e CONTENT SECURITY POLICY � CONTENT SECURITY POLICY � (REPORT-ONL Y) (REPORT-ONL Y)
{
r e p o r t " :
{
u r i " :
" h t t p s : / / y o u r w e b s i t e . c o m / " ,
" r e f e r r e r " :
" " ,
d i r e c t i v e " :
s r c " ,
d i r e c t i v e " :
s r c " ,
p o l i c y " :
" " ,
" d i s p o s i t i o n " :
" e n f o r c e " ,
u r i " :
" i n l i n e " ,
n u m b e r " :
4 ,
n u m b e r " :
3 ,
f i l e " :
6 "
c o d e " :
0 ,
s a m p l e " :
" "
}
repo rt- uri .c o m
@ S i m o n H e a r n e SYNTHETIC TESTING � SYNTHETIC TESTING �
@ S i m o n H e a r n e RUM � RUM � T he
b e s t
w a y
t o m onit or
r e s o u r c e s ,
e v e n w it h it s
lim it a t io n s
@ S i m o n H e a r n e � WA TERFALLS � WA TERFALLS
Akam ai m Puls e
AC T IO N S T O T AK E AC T IO N S T O T AK E D i s c o v e r y I m p a c t R e p o r t i n g C o d e
Q u a l i t y A v a i l a b i l i t y D a t a
L e a k a g e P e r f o r m a n c e R e m o v a l • • • ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ S y n t h e t i c ✔ ✔ ✔ ✔ • ✔ ✔ ✔ ✔ R U M ✔ ✔ ✔ ✔ ✔ • ✔ ✔ ✔ ✔ C S P
( R O ) ✔ ✔ • ✔ ✔ ✔ • ✔ • @ S i m o n H e a r n e
@ S i m o n H e a r n e ST AGE 4: ST AGE 4: D E F E N D O U R S E L V E S
� D E F E N D O U R S E L V E S
�
@ S i m o n H e a r n e CONTENT SECURITY POLICY � CONTENT SECURITY POLICY �
@ S i m o n H e a r n e CONTENT SECURITY POLICY � CONTENT SECURITY POLICY �
ca n iu se .c o m /# fe at= co nte n ts e cu rit yp o lic y2
@ S i m o n H e a r n e SUB-RESOURCE INTEGRITY � SUB-RESOURCE INTEGRITY �
@ S i m o n H e a r n e SUB-RESOURCE INTEGRITY � SUB-RESOURCE INTEGRITY � < link
"stylesheet"
"//maxcdn.bootstrapcdn.com/.../bootstrap.min.css"
"
sha256-8EtRe6XWoFEEhWiaPkLaw...=
sha512-/5KWJw2mvMO2ZM5fndVxU...=
"
"anonymous"
<script src= "//ajax.googleapis.com/.../jquery.min.js" integrity= " sha256-ivk71nXhz9nsyFDoYoGf2...= sha512-7aMbXH03HUs6zO1R+pLye...= " crossorigin= "anonymous" ></script>@ S i m o n H e a r n e SERVICE WORKER � SERVICE WORKER �
@ S i m o n H e a r n e SERVICE WORKER � SERVICE WORKER �
f u n c t i o n
t i m e o u t ( d e l a y )
{
r e t u r n
n e w
P r o m i s e ( f u n c t i o n ( r e s o l v e ,
r e j e c t )
{
s e t T i m e o u t ( f u n c t i o n ( ) {
r e s o l v e ( n e w
R e s p o n s e ( ' ' ,
{
s t a t u s :
4 0 8 ,
s t a t u s T e x t :
' R e q u e s t
t i m e d
o u t . '
} ) ) ;
} ,
d e l a y ) ;
} ) ;
}
s e l f . a d d E v e n t L i s t e n e r ( ' f e t c h ' ,
f u n c t i o n ( e v e n t )
{
/ /
O n l y
f e t c h
J a v a S c r i p t
f i l e s
f o r
n o w
i f
(
/
.
j
s
$
/
.
t
e
s
t
(
e
v
e
n
t
.
r
e
q
u
e
s
t
.
u
r
l
)
)
{
e v e n t . r e s p o n d W i t h ( P r o m i s e . r a c e ( [ t i m e o u t ( 2 0 0 0 ) ,
f e t c h ( e v e n t . r e q u e s t . u r l ) ] ) ) ;
}
e l s e
{
e v e n t . r e s p o n d W i t h ( f e t c h ( e v e n t . r e q u e s t ) ) ;
}
} ) ;
ca le nd ar.p erfp la net.c o m /2 015/r e d ucin g-s in gle -p o in t-o f- fa ilu re -u sin g-s e rv ic e-w ork e rs /
@ S i m o n H e a r n e SCRIPT MANAGER � SCRIPT MANAGER �
@ S i m o n H e a r n e SELF-HOSTING / PROXYING ☔ SELF-HOSTING / PROXYING ☔
@ S i m o n H e a r n e SELF-HOSTING / PROXYING ☔ SELF-HOSTING / PROXYING ☔
vw o.c o m /k now le d ge /h ost-v w o-ja v asc rip t- �le s-o n-y o ur-s e rv e r/
@ S i m o n H e a r n e SELF-HOSTING / PROXYING ☔ SELF-HOSTING / PROXYING ☔
co m munit y.a k am ai.c o m /c o m mun it y/w eb -p erfo rm an ce /b lo g/2 016/0 1/1 3/5 -w ay s-t o -p re ve n t-s lo w-3 rd -p arty - fr o nt-e n d -s e rv ic es
AC T IO N S T O T AK E AC T IO N S T O T AK E D i s c o v e r y I m p a c t R e p o r t i n g C o d e
Q u a l i t y A v a i l a b i l i t y D a t a
L e a k a g e P e r f o r m a n c e R e m o v a l • • • ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ S y n t h e t i c ✔ ✔ ✔ ✔ • ✔ ✔ ✔ ✔ R U M ✔ ✔ ✔ ✔ ✔ • ✔ ✔ ✔ ✔ C S P
( R O ) ✔ ✔ • ✔ ✔ ✔ • ✔ • S R I
/
V e r s i o n i n g • • ✔ ✔ • ✔ • C S P ✔ ✔ • ✔ ✔ ✔ ✔ • ✔ ✔ • S e r v i c e W o r k e r • • • • ✔ ✔ • ✔ S e l f
H o s t i n g • • • ✔ ✔ ✔ • ✔ @ S i m o n H e a r n e
PAR T Y PO L IC Y � W ha t
d oe s
it
d o ? W ho use s
it ? W ha t ’ s
t he
r is k
t o
t h e
s it e ? H ow
d o y ou r e m o v e
it ?
@ S i m o n H e a r n e THIRD-PARTY CONTENT MA Y BE A WE AK LINK THIRD-PARTY CONTENT MA Y BE A WE AK LINK BU T IT ' S H E R E T O S T A Y BU T IT ' S H E R E T O S T A Y
@ S i m o n H e a r n e FIVE THINGS YOU CAN DO THIS WEEK: FIVE THINGS YOU CAN DO THIS WEEK: K now w ha t ' s
t h e r e
Me a s ur e
t he ir
p e r f o r m a n c e
S ha r e
t he
d a t a
H a v e
a
s olid
d e f e n s e
H a v e
p a r t y
p o lic y
(r e q u estma p) (W PT / mP uls e ) (d ash board s) (S RI & C SP ) (w it h I T & b u sin ess)
@ S i m o n H e a r n e F U R T H E R R E AD IN G F U R T H E R R E AD IN G
http s:/ /w ww.s o asta .c o m /s o lu ti ons/3 rd -p arty -m an ag e m en t/
T HANK YO U ,
T HANK YO U ,
G O O D L U C K ! G O O D L U C K ! �
@S im onH e a r n e �
w e b p e r f . ninja / t o o ls �
s he a r ne @a k a m a i. c o m @ S i m o n H e a r n e
Third-party content is the thorn in the side of many a good website. From A/B testing that delays render to advertising networks that bleed user data, we depend on services over which we have no control. In an ideal world we could attribute a user experience cost to each third-party provider, allowing marketing, eCommerce and business intelligence to make educated decisions about which providers should stay and which should go.
The Resource Timing API allows site owners to measure how third-parties perform for every single pageview. Combining this data with business intelligence provides new insight to the impact of third-party providers on business performance.
This talk explores some of the toughest questions in web performance, backed up with huge amounts of data:
Will moving to a new advertising network increase ad revenue? Is A/B testing losing more revenue that it gains? Does measuring web performance impact web performance? Data for this talk has been gathered from over 500,000 websites, with detailed investigation performed on millions of pageviews from a small number of sites.
You will leave this talk armed with the tools and knowledge to measure the performance of third-party providers and provide compelling arguments for whether they should stay or go.
The following resources were mentioned during the presentation or are useful additional information.
for free. You
can too.