Posted by Ryan Pascoe
We work hard to ensure that the websites we build provide the best possible user experience. However, it's not our own code we have to keep in check: often, we’re asked to add third-party scripts to our sites, such as analytics, marketing tools, booking widgets and embeds. These scripts may be crucial to your business but they come with many risks.
Ever viewed a page that looks like it's loaded but doesn't respond to taps, clicks or scrolling for several infuriating seconds? It's incredibly frustrating and sure to turn your users away.
The impact is even greater on mobile devices where computing power is limited, compounded by slow network speeds. According to research by Google, 53% of mobile users leave a site if it takes more than three seconds to load.
Many third-party scripts still only provide a non-secure HTTP version, which is problematic if your site is using HTTPS. When a site using HTTPS requests a non-HTTPS URL, one of two things will happen: either the browser will block the request, preventing the script from functioning, or it will mark the page as non-secure.
Third-party scripts are often hosted on the party’s own server, and then requested by your site. Code can therefore be changed without notice and run on your site. This unfortunately makes them a target for hackers – if they can compromise the security of a third-party script, they then have the ability to carry out malicious activity on potentially millions of sites.
This can include:
- Defacing your site.
- Redirecting the user to a site posing as your own.
- Hijacking the user’s device to mine crypto currencies.
- Collecting personal information such as credit card numbers entered into a form.
This all sounds scary, but it goes without saying that you only want to be running code you can trust – and only on pages without sensitive information.
Data collection and privacy
While we make sure our sites are accessible, not all third parties do when developing booking widgets such as booking engines. This is extremely important for things like availability calendars, as inaccessibility can leave your users unable to make bookings.
Services like Google Tag Manager give anyone with sufficient access the ability to add third-party scripts to your website without involving a developer. This can become problematic as the user(s) adding them may not be aware of the impact their changes can have.
What we do
We will only include code from trusted third parties, and only once it has been tested, which means we may occasionally reject a script or strongly advise against placing it on your site.
If you ask us to add a tag manager, we usually disable the ability for other parties to publish new code to the website. In the case of Google Tag Manager, other users can still view and make changes but will need to contact us to publish the changes. This means we can review all changes before they are published to ensure they don’t have a detrimental impact on your website’s performance.
What you can do
Share this page with marketing managers or anyone within your organisation who will be responsible for the day-to-day management of the website and liaising with Nixon.
Check with us before committing to a new marketing tool, booking engine or similar add-on, as it may require a third-party script to be placed on your website. It's important that we can evaluate the script’s impact ahead of time, as this protects you from signing up to a service only to find out it can't be implemented because it has an unacceptable impact on your website.
If in doubt – even if a third-party tool seems to be all singing, all dancing – it’s always a good idea to ask our opinion. We’re familiar with a wide range of third-party scripts and will always give honest advice with your brand in mind.