[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Links to javascript-based websites from orgmode.org: Paypal and Gith

From: Hendursaga
Subject: Re: Links to javascript-based websites from orgmode.org: Paypal and Github
Date: Wed, 06 Jul 2022 10:42:09 -0400

Richard Stallman <rms@gnu.org> writes:

> Wow!  If that is what it might be, it would be great news.  But we had
> better verify it carefully, because it sounds too good to be true.
> Would someone like to check the details thoroughly?

I'm afraid it is, indeed, too good to be true. The README at 
https://github.com/stripe/stripe-js lists:

"Note: To be PCI compliant, you must load Stripe.js directly from 
https://js.stripe.com. You cannot include it in a bundle or host it yourself. 
This package wraps the global Stripe function provided by the Stripe.js script 
as an ES module."

Loading https://js.stripe.com/v3/ (the latest version) in a browser yields a 
minified blob of JS. At the very end, it has an error message, "It looks like 
Stripe.js was loaded more than one time. Please only load it once per page." 
Searching this string on Stripe's GitHub organization yields no matches 
(indeed, searching all of GitHub yields no matches).

The best you could do is mitigate some of the risks, such as detailed in 
https://mtlynch.io/stripe-recording-its-customers/ but unfortunately that 
carries additional risks, such as "Stripe clients bear the cost of chargebacks 
against their application, so they should decide how much information to share 
with Stripe to reduce those chargebacks."


reply via email to

[Prev in Thread] Current Thread [Next in Thread]