- As discovered by security researcher Randy Westergren, many major tracking scripts don’t sanitize their data properly. This allows hackers to inject any code that they want, including one that can steal credit card information.
- A lot of “freemium” web services have been known to surreptitiously track user data and sell it to advertisers.
- Scripts that contain non-HTTPS domains can trigger warnings for users on secure pages. They can also make personal user data more readily accessible to attackers.
- A third-party script can change at any time. This means that even after a code review, there’s no guarantee the script is doing what it says it does.
If we run http://nytimes.com through PageSpeed Insights, this is what we get:
- Only send the code that your users need.
- Minify your code.
- Compress your code.
- Remove unused code.
- Cache your code to reduce network trips.
Best Practices for Publishers
Publishers typically don’t have much control over third-party JS. But there are things they can do to ensure that their site and users are protected.