←back to thread

Stripe records user movements on its customers' websites

(mtlynch.io)
1134 points mtlynch | 6 comments | 21 Apr 20 17:01 UTC | HN request time: 0.489s | source | bottom
1. agwa ◴[21 Apr 20 18:28 UTC] No.22937839[source]
This is a good reason to use a technique like cperciva's payment iframe: https://www.paymentiframe.com/

It lets you use stripe.js (thus getting the PCI compliance benefits) without Stripe being able to spy on your visitors.

replies(2): >>22938342 #>>22938980 #
2. Znafon ◴[21 Apr 20 19:15 UTC] No.22938342[source]
While I trust him, how can we be sure that paymentiframe.com starts serving an iframe that steals the credit cards in the future?
replies(1): >>22938592 #
3. Kaze404 ◴[21 Apr 20 19:41 UTC] No.22938592[source]
From the page:

> Why should I trust you?

> [...] If you're worried about both, consider this a proof-of-concept which you should replicate on your own server (using a separate domain name from the rest of your site).

replies(1): >>22941169 #
4. ricardobeat ◴[21 Apr 20 20:25 UTC] No.22938980[source]
That is so ridiculously insecure I'm surprised the author has published it without a massive disclaimer.

Do NOT use an unknown third-party, without PCI qualification, to whom you have no contractual relationship, in between you and your payment provider.

replies(1): >>22939553 #
5. jedberg ◴[21 Apr 20 21:33 UTC] No.22939553[source]
It says at both the top and bottom of the page not to trust him, and at the bottom it says to implement it yourself if you care about security.

Seems fairly "disclaimed" to me.

6. tgtweak ◴[22 Apr 20 01:39 UTC] No.22941169{3}[source]
Yeah nobody should be embedding this verbatim to process payments that will fail any pci audit.