The Coach 3.0

We (and rumors say the Swedish king) are really excited that we today release the Coach 3.0! We took the chance to modernize the tools we use and add a new category of advice where the Coach can help.

Know what to do

The Swedish king Carl Gustaf waiting on instructions. You don't need to wait, just use the Coach to guide you!

New in 3.0

We have been collecting a couple of features and fixes over the last month that we want to share with you.

New category: Privacy

Privacy is important to us and we have had users complaining about the advice not to use Google Analytics: “Our customer wants a Best Practice score 100 and they cannot get that since they use GA ….”.

Well … by using Google Analytics your customer is revealing information about a your user’s behavior to Google. That’s not ok. But maybe the Best Practice category wasn’t the best place for that advice. That’s why we created the Privacy category with the following advice:

  • Always use HTTPS.
  • Do not mix HTTPS with HTTP, since every unencrypted HTTP request reveals information about your user’s behavior.
  • Use a Referrer Policy header that allows your site to control how much information the browser includes with navigations away from your page.
  • Use the HTTP Strict-Transport-Security response header to let the web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
  • Avoid including Facebook/Google/AMP/Youtube on your page since you give away users privacy to large companies.
  • Avoid using third party requests since it reveals information about your user’s behavior.

The new privacy category is super useful for everyone and specific all our users in the public sector: Please make sure that you do not leak your user’s behavior. Use the privacy score in your CI when sitespeed.io is released with the Coach 3.0.

The Swedish king needs privacy

The Swedish king heading for the bathroom, please give him some privacy.

New advice

The Coach got some more new advice for you!

Response Headers

We have a new advice that check response headers, inspired by Andrew Betts talk and blog post:

  • Avoid long response headers.
  • Avoid sending too many headers.
  • Avoid sending headers that unnecessary.
  • Use a (good) Content-Security-Policy header to make sure you you avoid Cross Site Scripting (XSS) attacks.

CPU time spent

In older version of the Coach we measured how much JavaScript that was sent over the wire. In the new version (if you are using Chrome) we also test the CPU time spent in scripting and rendering. This will give you an idea of how the site is performing but it all depends on how fast CPU you are using. The best for these tests is to run it using sitespeed.io on a dedicated server or a dedicated mobile phone.

First/third parties

We pickup how many third party requests the site do. Let us show you with Wikipedia:

$ webcoach https://en.wikipedia.org/wiki/Barack_Obama
...
│    thirdPartyPrivacy    │ You have 2% of the request that is 3rd party (2       │    98    │
│                         │ requests with a size of 3.7 kB).The regex             │          │
│                         │ .*wikipedia.* was used to calculate first/third party │          │
│                         │ requests. You can configure that with --firstParty.   │          │
│                         │ You should manually go through all the                │          │
│                         │ requests/responses and calculate the risk if the page │          │
│                         │ share user information with the 3rd party.            │          │  
....

Oopps two third party requests on Wikipedia, can that be true? No it’s not. By default we use the hostname of the URL you test and match that. For en.wikipedia.org we match all requests against .*wikipedia.* but two responses are served from the wikimedia.org domain. To fix that, we just add our own regex that decides if a request is a first party request or not.

webcoach https://en.wikipedia.org/wiki/Barack_Obama --firstParty "(.*wikipedia.*||.*wikimedia.*)"

With that correct regex Wikipedias third party score is 100.

Service worker?

There’s a check that reports if the page use service workers (as Lighthouse already do). If the page uses a service worker, the worker JavaScript file URL is returned. There’s no score associated, it’s just info.

Tech

There’s been a lot of changes in the background:

  • We removed the use of Bluebird and moved to native promises and async/await.
  • We use latest NodeJS LTS 10.13.0.
  • We rebuilt how we handle categories. In the future adding a category is as easy as creating a folder and add the advice (almost). However that made the getHarAdvice change. Before it returned an array with advice (since we only supported one category from HAR) and now it is a structure {category: [advice]} . This only affects you if you have developed something on top of the Coach and uses our API method directly.
  • We bumped all dependencies to use the latest releases.
  • We upgraded to latest Browsertime.

If you want to checkout the actual changes, go to the changelog where we have references to all PRs.

Summary

Is there any advice the Coach is missing? Or should we change anything? Help us out by letting us know.

Let us end with showing you a photo of the king of Sweden when we told him about all the great things in 3.0:

Know what to do

You should try out the new version of the Coach. The Swedish king shouted "Örebro" when he heard about all the good stuff that's in the release (that means something like "super awesome").

See you soon with a new Browsertime and a new sitespeed.io version!

/Peter