More Thoughts On Third Party Scripts

Joshua Bixby has an article about how third party scripts on your Web site can seriously hinder the Web site’s performance (Has your site’s third-party content gone rogue? Here’s how to regain control.)

In addition to the performance issues, you need to consider the following dangers and drawbacks of introducing third party code into your application or Web site:

  • You have no control over what they do.
    Sure, they tell you they do something, but that might not be all that they do. For example, a number of years back, I recall a Web site visit tracker that provided a “free” version and a paid version. A lot of people went with the “free” version, which not only provided rudimentary statistics on your Web site, but also served pop-under ads. By that time, most browsers allowed pop-up blocking, this was not always the case, and the host was making money on its users’ content. The provider of this free utility did mention it was going to do it in the terms of use, somewhere around the term that said you could not use the Web counter on Web sites discussing John Norman’s Gor books (no kidding). So not many people read it.
  • They can be an attack vector for malware.
    This is a corollary of the above point, but it’s worth noting in its own: Not even the third party vendors, especially ad delivery services, have control over what the code does. In many cases, that’s left to the person who buys the ad, and sometimes that’s a bad, bad man who wants to do bad, bad things to user computers and inserts attack code into ads that the third party code serves up. As a matter of fact, the last attack I know of on my client machine came not from a Web site discussing John Norman’s Gor books, but from the live stream page of KMOX radio, a CBS affiliate in St. Louis, where one of its ads tried a JavaScript exploit on me.
  • You have no control over quality of the third party code.
    No matter how much or how little you test your Web site or application, you can rest assured the third parties test their stuff less (even if that is, in fact, a negative number). Many of the JavaScript errors I see when careering around the corners of the Internet stem from missing objects associated with third party code. This might not adversely impact your Web site, but we don’t like to deal with might not as a plan of action in QA, do we?

I realize this is a repeat of what I have said early and often throughout the almost five (!) years of the blog, but the above article gave me an excuse to repeat it again.

(Link via Scott Barber tweet.)

Comments are closed.

wordpress visitors