[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security concerns with minified javascript code

On Tuesday 01 September 2015 17:46:30 Josh Triplett wrote:
> Nikolaus Rath wrote:
> > I don't think 28 kB vs 73 kB is a difference that people will notice
> > over the network in *most* situations. Even at just 100 kB/s that's
> > 0.28 vs 0.73 seconds, and only when the page is first loaded.
> That's absolutely a critical difference, even on a faster connection.
> Multiple studies have demonstrated that page load time matters for user
> retention.

Correlation does not imply causation.

> Amazon did a study that showed every ~100ms of page load
> delay lost them 1% in sales.

It could be that small percentage of Amazon users are impulsive trigger-happy 
buyers. :)
However that conclusion is probably wrong due to number of reasons:

 * 1% loss of sales is probably caused not by minification but by other 
means. Remember that minification affects only first page load. I suppose 
most buyers do not just purchase something from the very first page they've 

 * It is easy to claim loss of sales (and blame it on page load speed) 
without checking how percentage of returns is affected. Impulsive buyers 
never change their minds, right? ;)

 * Most people tend to think harder about more expensive purchases. Therefore 
"loss of revenue" is likely to be much smaller than "loss of sales".

> Google found that half a second slower
> load time for results pages drove off 20% of users.

Who says that loss of this audience matters? Have you ever closed a web site 
just because it is loaded few seconds slower than the other and not due to 
its content?

> Google also prioritizes faster sites in search results.

I doubt that search engine optimisation is important in this context. Google 
have no DFSG concerns and they may prioritise based on other things like SPDY 
support etc. Are you sure Google prioritises smaller web pages over heavy 
ones? (because this is what you're saying as minified content reduces size of 
the web site and not necessary speed of its loading). Besides Google search 
engine is probably just ignores JavaScripts and CSS hence minification should 
not make any difference (unless it is HTML minification).

> So yes, minifiers matter.

IMHO there is more harm than good. The only case for minification that I can 
think of is to increase web server capacity a little to cope with flow of new 
users following some sort of AD campaign. A poor substitute for capacity 
planning or a case when network link is congested.

Minification makes multiple assumptions such as that web app is perfect and 
nobody would ever need to open JS console and report errors. Or that nobody 
would like to learn about web site features from non-minified CSS and JS. Let 
alone debugging some of us do not like proprietary javascripts running in our 
browsers -- minification kills opportunity for security peer review etc.

Finally, one may think that maintenance cost of minified JavaScripts in 
Debian outweighs all the "benefits" by huge margin.

Again, here is my summary why minification is unnecessary:


I recognise importance of user experience and I know that UI responsiveness 
is important for perception. Actually this is one of my concerns about 
minification: although it negligibly improves speed of downloading of web 
pages for a first time, in theory it may negatively affect JavaScript run-
time performance (e.g. speed of initialisation or UI lag)...

 Dmitry Smirnov.


Odious ideas are not entitled to hide from criticism behind the human
shield of their believers' feelings.
        -- Richard Stallman

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: