Use Only Trusted Javascript

When developers create new websites and apps, they regularly blend new code with pre-existing code using third-party libraries, often written in Javascript. This third-party Javascript is embedded into the site by an outside vendor.

Examples of third-party Javascript applications include:

  • Video embedding, such as Youtube, Vimeo, etc.
  • Social sharing buttons for Facebook, Twitter, and others
  • Advertising iframes
  • Analytics and metric applications

While convenient, using third-party Javascript means giving up some degree of control, which could come with some security and privacy risks. There’s no guarantee that a third-party application regularly updates its security measures and there’s often no way to tell, especially if the library is not open-source.

Best Practices

  • Use popular third-party libraries that have a large supporting community. These libraries tend to make regular updates and communicate with their community. You’ll also have fellow users to ask questions or express concerns.
  • Use open-source libraries that provide access to the source code so you can identify any issues with quality or security loopholes.
  • Make sure your chosen third-party libraries contain the correct licenses and specifications for whatever you intend to use the library for.

Aside from privacy and security concerns, third-party Javascript can also slow down your site. Some issues that cause slower load speeds include:

  • Too many network requests to multiple servers
  • Sending large, unoptimized images or videos
  • Single-Point of Failures (SPOF) caused by incorrect script loading
  • Lack of sufficient server compression
  • Using legacy APIs known to be harmful to the user experience

Since third-party Javascript is largely out of the site owner’s control, it’s important to choose trusted Javascript applications that won’t compromise your site’s privacy and security or clog up your site’s loading process.

First off, you can analyze your site’s use of third-party Javascript with tools such as Chrome DevTools, Page Speed Insights, and WebPage Test.

These tools will highlight third-party applications used by the site, the amount of requests used for each application, and the time they take to load.

Additionally, the Lighthouse Javascript boot-up time audit highlights scripts that take up a significant amount of loading time, allowing you to assess their worth.

If you discover that you may not need a third-party application, you can perform an A/B test using Chrome DevTools network request blocking function. This allows you to see how your site would perform if you blocked the particular application.

Check out Google’s guide to loading third-party Javascript to get a more detailed look at all the options available to site owners.