by Kristofer Baxter

Simply put, performance matters. We know members want to immediately start browsing or watching their favorite content and have found that faster startup leads to more satisfying usage. So, when building the long-awaited update to netflix.com, the Website UI Engineering team made startup performance a first tier priority.

The impact of this effort netted a 70% reduction in startup time, and was focused in three key areas:

1. Server and Client Rendering
2. Universal JavaScript
3. JavaScript Payload Reductions

Server and Client Rendering

The netflix.com legacy website stack had a hard separation between server markup and client enhancement. This was primarily due to the different programming languages used in each part of our application. On the server, there was Java with Tomcat, Struts and Tiles. On the browser client, we enhanced server-generated markup with JavaScript, primarily via jQuery.

This separation led to undesirable results in our startup time. Every time a visitor came to any page on netflix.com our Java tier would generate the majority of the response needed for the entire page's lifetime and deliver it as HTML markup. Often, users would be waiting for the generation of markup for large parts of the page they would never visit.

Our new architecture renders only a small amount of the page's markup, bootstrapping the client view. We can easily change the amount of the total view the server generates, making it easy to see the positive or negative impact. The server requires less data to deliver a response and spends less time converting data into DOM elements. Once the client JavaScript has taken over, it can retrieve all additional data for the remainder of the current and future views of a session on demand. The large wins here were the reduction of processing time in the server, and the consolidation of the rendering into one language.

We find the flexibility afforded by server and client rendering allows us to make intelligent choices of what to request and render in the server and the client, leading to a faster startup and a smoother transition between views.

Universal JavaScript

In order to support identical rendering on the client and server, we needed to rethink our rendering pipeline. Our previous architecture's separation between the generation of markup on the server and the enhancement of it on the client had to be dropped.

Three large pain points shaped our new Node.js architecture:

1. Context switching between languages was not ideal.
2. Enhancement of markup required too much direct coupling between server-only code generating markup and the client-only code enhancing it.
3. We’d rather generate all our markup using the same API.

There are many solutions to this problem that don't require Universal JavaScript, but we found this lesson was most appropriate: When there are two copies of the same thing, it's fairly easy for one to be slightly different than the other. Using Universal JavaScript means the rendering logic is simply passed down to the client.

Node.js and React.js are natural fits for this style of application. With Node.js and React.js, we can render from the server and subsequently render changes entirely on the client after the initial markup and React.js components have been transmitted to the browser. This flexibility allows for the application to render the exact same output independent of the location of the rendering. The hard separation is no longer present and it's far less likely for the server and client to be different than one another.

Without shared rendering logic we couldn't have realized the potential of rendering only what was necessary on startup and everything else as data became available.

Reduce JavaScript Payload Impact

Building rich interactive experiences on the web often translates into a large JavaScript payload for users. In our new architecture, we placed significant emphasis on pruning large dependencies we can knowingly replace with smaller modules and delivering JavaScript only applicable for the current visitor.

Many of the large dependencies we relied on in the legacy architecture didn't apply in the new one. We've replaced these dependencies in favor of newer, more efficient libraries. Replacing these libraries resulted in a much smaller JavaScript payload, meaning members need less JavaScript to start browsing. We know there is significant work remaining here, and we're actively working to trim our JavaScript payload down further.

Time To Interactive

In order to test and understand the impact of our choices, we monitor a metric we call time to interactive (tti).

Amount of time spent between first known startup of the application platform and when the UI is interactive regardless of view. Note that this does not require that the UI is done loading, but is the first point at which the customer can interact with the UI using an input device.

For applications running inside a web browser, this data is easily retrievable from the Navigation Timing API (where supported).

Work is Ongoing

We firmly believe high performance is not an optional engineering goal – it's a requirement for creating great user-experiences. We have made significant strides in startup performance, and are committed to challenging our industry’s best-practices in the pursuit of a better experience for our members.

Over the coming months we'll be investigating Service Workers, ASM.js, Web Assembly, and other emerging web standards to see if we can leverage them for a more performant website experience. If you’re interested in helping create and shape the next generation of performant web user-experiences apply here.

Columbia University paleontologist Paul Olsen: "Absolutely nothing about this... is even vaguely correct." (more…)

If you are reading mail on your iPhone and iPad and a popup appears asking you to re-login to iCloud (or anything else), beware. Security researcher Jan Soucek discovered a bug in the iOS Mail app that allowed an attacker to run remote HTML code when an email is opened. That code could easily imitate an iCloud login prompt, fooling users into giving away their Apple ID credentials … 

While Soucek uses iCloud as the demonstration – as it’s not uncommon for an iOS device to prompt people to login again – the same code could be used to imitate any website or service. It doesn’t have to be a phishing prompt for authentication either — any arbitrary HTML and CSS can run.

Soucek says that he first spotted the bug in iOS 8.1.1, filing a bug report with Apple. At that time, he kept the details to himself, allowing Apple time to fix the bug. Five months later, the company has still not done so, he said, and he therefore chose to make the code public to draw attention to the risk.

It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here.

Soucek has now uploaded proof of concept to the code-sharing site GitHub. While this serves to alert people to the existence of the flaw, and applies pressure to Apple to fix it in a future update, it also means the code is out there for anyone to use.

The safe course for now is to assume that any login popup that appears while using the iOS Mail app is malicious. If your iOS device does indeed need you to login again to iCloud or anything else, wait until prompted when not using Mail.

For more information about iPhone, iPad, and iOS continue reading at 9to5Mac.

What do you think? Discuss "Beware authentication popups in iOS Mail: bug allows convincing-looking phishing attacks" with our community.

Drop everything and read Seymour Hersh’s astounding alternative history of the U.S. killing of Osama bin Laden. Hell of a good read.

With the new iPhone 5s and 5c rolling in and many users wanting to upgrade to the new devices, it might be wise to increase the value of your phone by unlocking it. Chronic Unlocks, the go-to company for unlocking iPhones (and various Nokias, LGs, BlackBerrys and other smartphones), offers a quick, reliable, and low-cost unlocking service.

An unlocked phone means that the device is no-longer connected to the carrier for which you purchased the device. You can then put in any SIM-card and use the phone worldwide. With international pre-paid SIM-cards and an unlocked phone, you do not have to worry about international roaming charges. For those in the U.S., unlocking an AT&T iPhone would allow you to connect the device to T-Mobile.

Chronic Unlocks also tells us that it has been seeing an average of $100+ extra resale value on iPhones that are sold as unlocked devices. Phones can even be unlocked if the phone is currently on a contract:

To use the Chronic Unlocks, you head to their website, pick a service based on your phone model, carrier, and desired turnaround time… time.

After picking the service you are interested in, you need to locate and enter some specific information about your phone (as seen above). The only information needed that you may not know off hand is your phone’s IMEI number. You can locate this in your iPhone’s Settings app (near where the Serial Number and other information is listed) or by dialing *#06#.

Even though the iPhone 5s and iPhone 5c are new devices, they are fully supported by Chronic Unlocks. Some have been concerned about the legality of phone unlocking, but Chronic Unlocks completely transparently explains its process and how it is different than other unlock providers:

The number one advantage would only apply to USA users. Because Chronic Unlocks is based in the United States, we must follow US law, including the new provisions that went into effect in January 2013 which supposedly outlaw third-party unlock solutions. We are proud to say that we have worked with our lawyers to structure our system to be 100% in compliance with the letter of the law (perhaps not the “spirit” of it, but that’s not a crime). We realize that there are many competitors out there in the mobile phone unlocking industry, some are legitimate and some are flat out scammers who will mislead individuals, and others are simply not US-based and yield a higher profit margin by providing a solution for US customers that isn’t legal for them to use (and often won’t inform the customer of this, either because they are unfamiliar with the new US laws that are in place or they may not care about liability on their customer’s end). There are different specialty unlockers in this industry and there is room for everyone to thrive, so we’ve made it our goal to focus efforts on being the best, 100% legal, and most reliable provider that we can be. And although we cater to US customers by ensuring all of our methods are only ones that are in compliance with the new laws, we most certainly also offer unlock solutions for a range of other countries, and have many happy customers from such places (Spain, France, UK, Australia, UAE, and more!)

Additionally, the company is offering up a notable discount program for 9to5Mac readers. To get 20% off of an unlock, just enter the following discount codes depending on the service you’d like:

• AT&T Fast unlock (normally $34.99):9TO5MACATTFAST
• AT&T Normal unlock (normally $24.99):9TO5MACATT

Additionally, the service is offering 15 free unlocks to our readers. To enter for the free unlock, leave a comment explaining why you would like the free unlock. We will message the winners in a week.

Visit 9to5Mac to find more special coverage of Tips and Tricks.

What do you think? Discuss "Want to increase the value of your iPhone? Chronic Unlocks offering 9to5Mac readers 20% discounts" with our community.