first and third party script info#3
Merged
Merged
Conversation
Owner
|
We need to improve the host validation. A lot of sites use a subdomain for the resources (as a custom CDN), and these resources doesn't Thrid-party. e.g. On this site, all the resources use a subdomain, and the script detects all the First Party Scripts as Third Party Scripts.
An options is add an array with the "first" hosts, and check the current host with this config hosts const HOSTS = [
'assets.domain.com',
'cdn.domain.com'
] |
Contributor
Author
|
You are right. Technically they aren't third party despite the fact they usually incur network cost. So the wording is kinda deceiving in this case. But you are totally right and like your idea So basically create a hosts array for the user edit themselves and then add that to the first party check. |
Contributor
Author
|
Example using katespade.com just bc I knew a subdomain. Please test on the site you used above. Thanks! |
nucliweb
reviewed
May 27, 2022
| if (resource.initiatorType === "script") { | ||
| const { host } = new URL(resource.name); | ||
| // check if resource url host matches location.host = first party script | ||
| if (host === location.host || HOSTS.includes(host)) { |
nucliweb
reviewed
May 27, 2022
Comment on lines
+194
to
+197
| // set for first party scripts | ||
| const first = []; | ||
| // set for third party scripts | ||
| const third = []; |
nucliweb
approved these changes
May 27, 2022
nucliweb
added a commit
that referenced
this pull request
Feb 12, 2026
Validate-Preload-Async-Defer-Scripts: - Add missing fetchpriority="low" to <link rel=preload> tag in Solution 1 This was a correctness bug - preload without fetchpriority="low" still escalates network priority even if script tag has fetchpriority="low" Prefetch-Resource-Validation (comprehensive improvements): Performance optimizations: - Pre-normalize all URLs once into a Map (eliminates O(N×M) URL parsing) - Use pre-built URL map for all matching operations - Remove redundant URL parsing in nested loops - Performance improvement: ~6000 URL objects → ~200 for typical cases New validations: - Detect invalid 'as' attribute values (typos like as="scriptt") - Detect duplicate prefetch hints (same URL prefetched multiple times) - Warn about large scripts (>1MB threshold, was missing) - Validate 'as' attribute against list of valid values Improved logic: - Better cache detection: distinguish "cached" vs "unknown (CORS)" Handles case where CORS blocks timing info (both sizes === 0) - Fixed inappropriateTypes to check scripts and provide detailed reasons - Optimized isCurrentPageResource check to use pre-built map - Added seenUrls Set to track duplicates Code quality: - Added validAsValues Set with all valid 'as' attribute values - Added THRESHOLDS.largeScriptSize (1MB) for script-specific checks - Better error messages with specific size/reason for inappropriateness - Comments explaining CORS edge cases and validation logic Documentation updates: - Added "Invalid as", "Duplicate prefetch" to issue categories table - Updated "Inappropriate type" description to mention scripts - Cache status can now show "unknown (CORS)" in output Addresses issues from comprehensive code review: - URL matching performance (#8, #9 from analysis) - Invalid 'as' validation (#7) - Duplicate detection (#14) - Large script detection (#4) - Cache detection for CORS (#3) - Current page detection optimization (#6)
nucliweb
added a commit
that referenced
this pull request
Feb 25, 2026
Thank you @jhadev great job 👏🏼
nucliweb
added a commit
that referenced
this pull request
Feb 25, 2026
Validate-Preload-Async-Defer-Scripts: - Add missing fetchpriority="low" to <link rel=preload> tag in Solution 1 This was a correctness bug - preload without fetchpriority="low" still escalates network priority even if script tag has fetchpriority="low" Prefetch-Resource-Validation (comprehensive improvements): Performance optimizations: - Pre-normalize all URLs once into a Map (eliminates O(N×M) URL parsing) - Use pre-built URL map for all matching operations - Remove redundant URL parsing in nested loops - Performance improvement: ~6000 URL objects → ~200 for typical cases New validations: - Detect invalid 'as' attribute values (typos like as="scriptt") - Detect duplicate prefetch hints (same URL prefetched multiple times) - Warn about large scripts (>1MB threshold, was missing) - Validate 'as' attribute against list of valid values Improved logic: - Better cache detection: distinguish "cached" vs "unknown (CORS)" Handles case where CORS blocks timing info (both sizes === 0) - Fixed inappropriateTypes to check scripts and provide detailed reasons - Optimized isCurrentPageResource check to use pre-built map - Added seenUrls Set to track duplicates Code quality: - Added validAsValues Set with all valid 'as' attribute values - Added THRESHOLDS.largeScriptSize (1MB) for script-specific checks - Better error messages with specific size/reason for inappropriateness - Comments explaining CORS edge cases and validation logic Documentation updates: - Added "Invalid as", "Duplicate prefetch" to issue categories table - Updated "Inappropriate type" description to mention scripts - Cache status can now show "unknown (CORS)" in output Addresses issues from comprehensive code review: - URL matching performance (#8, #9 from analysis) - Invalid 'as' validation (#7) - Duplicate detection (#14) - Large script detection (#4) - Cache detection for CORS (#3) - Current page detection optimization (#6)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Example output