https://adactio.com/articles/18676 adactio * Journal * Links * Articles * Notes * About Ain't no party like a third party December 9th, 2021 This was originally published on CSS Tricks in December 2021 as part of a year-end round-up of responses to the question "What is one thing people can do to make their website bettter?" I'd like to tell you something not to do to make your website better. Don't add any third-party scripts to your site. That may sound extreme, but at one time it would've been common sense. On today's modern web it sounds like advice from a tinfoil-hat wearing conspiracy nut. But just because I'm paranoid doesn't mean they're not out to get your user's data. All I'm asking is that we treat third-party scripts like third-party cookies. They were a mistake. Browsers are now beginning to block third-party cookies. Chrome is dragging its heels because the same company that makes the browser also runs an advertising business. But even they can't resist the tide. Third-party cookies are used almost exclusively for tracking. That was never the plan. In the beginning, there was no state on the web. A client requested a resource from a server. The server responded. Then they both promptly forgot about it. That made it hard to build shopping carts or log-ins. That's why we got cookies. In hindsight, cookies should've been limited to a same-origin policy from day one. That would've solved the problems of authentication and commerce without opening up a huge security hole that has been exploited to track people as they moved from one website to another. The web went from having no state to having too much. Now that vulnerability is finally being closed. But only for cookies. I would love it if third-party JavaScript got the same treatment. When you add any third-party file to your website--an image, a style sheet, a font--it's a potential vector for tracking. But third-party JavaScript files go one further. They can execute arbitrary code. Just take a minute to consider the implications of that: any third-party script on your site is allowing someone else to execute code on your web pages. That's astonishingly unsafe. It gets better. One of the pieces of code that this invited intruder can execute is the ability to pull in other third-party scripts. You might think there's no harm in adding that one little analytics script. Or that one little Google Tag Manager snippet. It's such a small piece of code, after all. But in doing that, you've handed over your keys to a stranger. And now they're welcoming in all their shady acquaintances. Request Map Generator is a great tool for visualizing the resources being loaded on any web page. Try pasting in the URL of an interesting article from a news outlet or magazine that someone sent you recently. Then marvel at the sheer size and number of third-party scripts that sneak in via one tiny script element on the original page. That's why I recommend that the one thing people can do to make their website better is to not add third-party scripts. Easier said than done, right? Especially if you're working on a site that currently relies on third-party tracking for its business model. But that exploitative business model won't change unless people like us are willing to engage in a campaign of passive resistance. I know, I know. If you refuse to add that third-party script, your boss will probably say, "Fine, I'll get someone else to do it. Also, you're fired." This tactic will only work if everyone agrees to do what's right. We need to have one another's backs. We need to support one another. The way people support one another in the workplace is through a union. So I think I'd like to change my answer to the question that's been posed. The one thing people can do to make their website better is to unionize. December 9th, 2021 Also on Medium Older >> Responses Adactio Articles Ain't no party like a third party adactio.com/articles/18676 # Posted by Adactio Articles on Thursday, December 9th, 2021 at 12:15pm HN Front Page Ain't no party like a third party L: adactio.com/articles/18676 C: news.ycombinator.com/item?id=295389... # Posted by HN Front Page on Monday, December 13th, 2021 at 2:03pm Winson Tang Ain't no party like a third party adactio.com/articles/18676... # Posted by Winson Tang on Monday, December 13th, 2021 at 2:09pm Hacker News Ain't no party like a third party: adactio.com/articles/18676 Comments: news.ycombinator.com/item?id=295389... # Posted by Hacker News on Monday, December 13th, 2021 at 2:10pm Angsuman Chakraborty Ain't no party like a third party adactio.com/articles/18676 # Posted by Angsuman Chakraborty on Monday, December 13th, 2021 at 2:13pm HackerNewsTop10 Ain't no party like a third party Link: adactio.com/articles/18676 Comments: news.ycombinator.com/item?id=295389... # Posted by HackerNewsTop10 on Monday, December 13th, 2021 at 3:08pm Hacker News 20 Ain't no party like a third party adactio.com/articles/18676 ( news.ycombinator.com/item?id=295389...) # Posted by Hacker News 20 on Monday, December 13th, 2021 at 3:10pm Ryan Valverde de Ward Adactio: Articles--Ain't no party like a third party adactio.com/ articles/18676 # Posted by Ryan Valverde de Ward on Monday, December 13th, 2021 at 4:57pm Hacker News 50 Ain't no party like a third party adactio.com/articles/18676 ( news.ycombinator.com/item?id=295389...) # Posted by Hacker News 50 on Monday, December 13th, 2021 at 5:10pm Hacker NewsJi Shi Ti Ri Ben Yu Fan Yi sadopateinoyounapateihaarimasen adactio.com/articles/ 18676 # Posted by Hacker NewsJi Shi Ti Ri Ben Yu Fan Yi on Monday, December 13th, 2021 at 5:11pm Brad Lhotsky I'm astounded this needed to be written: adactio.com/articles/18676 tl;dr: Don't include thirdparty JavaScript on your site. # Posted by Brad Lhotsky on Monday, December 13th, 2021 at 7:32pm Jason Cosper Bosses hate this one weird trick that you can do to make your website better: adactio.com/articles/18676 # Posted by Jason Cosper on Monday, December 13th, 2021 at 8:01pm rob shavell adactio.com/articles/18676 # Posted by rob shavell on Monday, December 13th, 2021 at 8:26pm Have you published a response to this? Let me know the URL: [ ] Ping! More information About this site Adactio is the online home of Jeremy Keith, a web developer and author living and working in Brighton, England. Get in touch Customise Choose a theme... [default ] [Go!] ? This is the plain vanilla look. Search Search articles: [ ] Go! Subscribe You can subscribe to the RSS feed of articles or you can follow @adactioArticles on Twitter. Videos Collections of conference talks on: * Vimeo * YouTube Slides You can view recent presentations. Download PDF versions of the slides I've used to accompany presentations. Beware: they won't wont make much sense outside the context of the talks. * The State Of The Web * Sci-fi & Me * Design Principles For The Web * Building * The Layers Of The Web * How We Built The World Wide Web In Five Days * The Web Is Agreement * Taking Back The Web * Evaluating Technology * Resilience * * Enhance * The Long Web * Time * The Power Of Simplicity * Beyond Tellerrand * There Is No Mobile Web * Get Excited And Make Things With Science * Of Time And The Network * Paranormal Interactivity * All Our Yesterdays * One Web * The Design of HTML5 * The System Of The World * Creating Portable Social Networks with Microformats * Soul * In Praise of the Hyperlink * Ajax Kung Fu Elsewhere * Get to Know Jeremy Keith (A Book Apart) * Discovering Resilient Web Design with Jeremy Keith * Jeremy Keith on the importance of creating products that last * The Contributions of Others: A Session with Jeremy Keith * Bouzoukis, Brighton and the Bigger Picture: Jeremy Keith Takes the Long View * The Industry: An Interview with Jeremy Keith * 10 questions about web performance -- Jeremy Keith at Clearleft * Web Standardistas: A Dozen Questions for Mr Keith * Web Standards Group: Ten questions for Jeremy Keith (c) 1998 - 2021 Jeremy Keith.