AIMEE_KNIGHT: Hey hey from Nashville.
CHARLES MAX_WOOD: Dan Shapir.
DAN_SHAPPIR: Hi from Tel Aviv, where the only good thing I can say about the weather is that it's great that we all have air conditioning.
CHARLES MAX_WOOD: AJ O'Neill. I'm Charles Max Wood from Dev Chat.tv. Just want to encourage you to go check out mostvaluable.dev. And we have a special guest this week, and that's Ben Vinegar. Hi, Ben. Ben, do you want to introduce yourself?
CHARLES MAX_WOOD: Oh nice.
CHARLES MAX_WOOD: And they use that for comments on dev chat, not TV.
DAN_SHAPPIR: Yes, it does.
CHARLES MAX_WOOD: What comes off of Dan's example though, is that if I own the Wix website and I, or they are injecting their code into my website, then I guess I could kind of see it as third-party software to me, even though they mostly control the environment and everything around it because it's a Wix page. And so I think some of this just is down to your point of view as well.
DAN_SHAPPIR: That's an actually valid point. And yeah, we do need to deal with that.
BEN_VINEGAR: You know, I also want to paint, I don't want to look at their project script as being a security vector. Although there's truth to that. It's also even, it's broader than that. Like the scripts that they inject might interfere with the way that you render the page. They might occupy the UI thread so that the rendering of the experience that you want as the sort of like publisher is impacted by those scripts in a way that you may have very little control over, right? Because they're just sort of injected to the page and you may not be able to control the flow of how that application executes.
AJ: Well, to use the modern political parlance then, who's the most vulnerable party? The other one is the third party.
AJ: In this case by vulnerable and all senses of the word. So like if it changes the way your page looks That makes you vulnerable, you know, like if it if it does anything that tampers with the integrity of your site causing a poor user experience causing load times, you know all of that I would say, you know, even though often we use the words like integrity and vulnerability in the realm of security I would say I meant it in a broader sense.
CHARLES MAX_WOOD: That's fair.
DAN_SHAPPIR: It's interesting because the behavior of browsers has changed in a way that kind of impacts that it used to be that browser cache was shared between domains. So if I had a website and you had a website and we were both using, let's say jQuery and we were both using the same version from Cloudflare, then the fact that a person with their browser accessed your site would then benefit me if that same person accessed my site because jQuery could be delivered from the local browser cache. This is no longer the case.
AJ: And it was never really the case because it would always make a request. So because...
DAN_SHAPPIR: Well, not necessarily. If the cache duration was specified appropriately, it might not.
AJ: Right. If it was specified appropriately, which generally they wouldn't, because doing that on a free service increases your support request rate, because people don't know how caches work, and they don't build their assets with like cash tag or whatever, they've got their web server set up incorrectly, all these things go wrong. And so then you get people doing all these support tickets to the CDN that are on free accounts, that are just burning time, because they're having trouble with caching and they don't know how to solve it.
DAN_SHAPPIR: Yeah, in any event, it's not really relevant anymore because for the listeners who may not know this, Safari, Firefox, and I'm not sure if Chrome is quite there yet or not, but if not, they're going to be there soon or use what is known as double keyed cache, which means that resources are not just cached by the URL, they're also cached by the main domain. So even if you do download the same site from the same URL from two separate sites, they won't share the cashe. So the resource would actually download twice. T
AJ: hat sounds like such a stupid idea, Dan. Why ever would that be?
DAN_SHAPPIR: It's actually for privacy concerns to avoid breadcrumbs or tracing. Like suppose that I wanted to know that you it's interesting for, I want to track users. I could actually have resources like downloaded from common URLs across my, my gamut of websites, and then by checking the delivery times and the download sizes, I can actually figure out if a certain resource was delivered from the local cash or not. And then I can use that to kind of track you across, you know, which websites you visited.
AJ: So these are known as e-tag cookies.
DAN_SHAPPIR: No, this has nothing to do with e-tags.
AJ: Oh, okay.
DAN_SHAPPIR: This has to do with the fact that suppose you're downloading resource, you're using resource A dot JS from Cloudflare. And then my website also down uses a.js from Cloudflare, the same version with exact same URL. I can check with the browser to see how quickly downloaded or even how many bytes were downloaded, figure out that it was served from the local cache, and say, oh, OK, now I know that they visited AJ's website.
AJ: Oh, okay. So that's even like, that's even more subtle than e-tag cookies, but e-tag cookies, you get specific user tracking just the same as the way you'd get with normal cookies. That's what it is. Anyway, rabbit hole.
CHARLES MAX_WOOD: I think, yeah, I was going to say, yeah, we've rabbit hold and yeah.
BEN_VINEGAR: I think that this is an incendiary topic. I think that, you know, when I wrote this book, it is from the perspective of somebody developing products like this that have to also deal with the fact that, you know, third party scripts, I guess, have a pretty bad rap, iframes had a really bad rap for a long time, but the reality is that. You know, this is almost like a business relationship or these scripts are conferring value, right? Mentioned earlier, right? The podcast itself uses discussed comments, like it's getting something out of that. And so we're always going to have this. We're always going to have scripts that provide analytics and so forth. For example, even century monitors for errors is we have a script that lets you do this. So the question is, if you are developing that content. How do you be a good actor in the ecosystem? How do you develop an application that plays nicely with the host webpage, doesn't take advantage, or doesn't mess with the host page and make sure that doesn't interrupt rendering, make sure that doesn't lock the thread and so forth, right? So it's true, there's a lot of bad, I don't know if bad actress is the right word or third party scripts that can result in a negative experience, but there's also like plenty of products out there that do a lot of good value. And as long as they play nicely, like set good cash rules, then you can have a good experience and everybody's okay.
AIMEE_KNIGHT: One question I have, so we've talked about third party scripts being, you know, things that, that are outside of my control, but what about, well, outside of my code basis control or outside my code base, but what about third party scripts in the sense of, there are different things that, like, there are a lot of different marketing integrations that the developers may not be even aware of where I just, as a marketer go to some website give it, you know, whatever information it needs. And suddenly there's like script tags on the page.
BEN_VINEGAR: Those qualify.
AIMEE_KNIGHT: Yeah. Or even the case of like Google tag manager, you can have like your Google tag manager tag and just by nature of having that, you can hook in all kinds of scripts.
BEN_VINEGAR: Yeah, absolutely.
AIMEE_KNIGHT: Again, again, like outside of the control of like the developer.
BEN_VINEGAR: Okay. Yeah. I think segment does this too, as tag managers. I think they all apply, right?
BEN_VINEGAR: And so they're, they're super common.Maybe in marketing, you know, marketing websites, especially. Yeah. I think they all qualify. I, it's a, it's a bigger industry and it's a bigger sort of like development space than sometimes we think about.
DAN_SHAPPIR: Maybe it might be worthwhile for some of our listeners to explain exactly what Tag Manager is.
AIMEE_KNIGHT: Yeah. So I, I know, man, it's been a while, so I don't completely remember, but my understanding Google Tag Manager is a way, you know what? I would have to look, actually. I don't completely remember and I don't want to give a wrong answer, but.
BEN_VINEGAR: I've used it very briefly. I think it's kind of, it literally manages like script tags that are injected into your marketing website so that, you know, non-developers can have some control or some flexibility over the configuration or on what pages things get injected and how, and so, you know, they don't have to go and call up the software team to go and make some minor script adjustments here or there.
AIMEE_KNIGHT: Yeah, you're right. It's literally anything.
DAN_SHAPPIR: Yeah, you're basically giving Google the ability to inject anything into your website and presumably they do it based on what your marketing team decides to inject into your website and hopefully they only injects the stuff that actually needs to be injected and not other things.
AIMEE_KNIGHT: The part I do remember about it probably is more like the programming side where you have something called like a data layer that sits, that that's how the code base talks to Tag Manager and passes like variables back and forth.
DAN_SHAPPIR: The bottom line though, from my perspective, is I see a lot of websites that download huge amounts of resources or content or stuff from Google, from Facebook, from others. I know that we...