←back to thread

Stripe records user movements on its customers' websites

(mtlynch.io)
1134 points mtlynch | 1 comments | 21 Apr 20 17:01 UTC | HN request time: 0.199s | source
Show context
ScoutOrgo ◴[21 Apr 20 18:27 UTC] No.22937822[source]
I recently worked on a fraud detection POC with a few vendors in this space and it is common for them to require adding a js snippet to capture info like this. This isn't out of the ordinary behavior.
replies(1): >>22940212 #
neop1x ◴[21 Apr 20 22:58 UTC] No.22940212[source]
But this IS wrong!! What if my browser doesn't support javascript? It won't allow me to purchase anything! Why there HAS to be javascript to prevent fraud? That is simply an abuse of programmable functionality which was not made for such purposes. Aren't those credit cards safe because they are electronic and todays transactions can be reversed, tracked and that fiat money are just database rows?!
replies(4): >>22940608 #>>22940616 #>>22940657 #>>22942988 #
MattGaiser ◴[22 Apr 20 00:00 UTC] No.22940616[source]
> What if my browser doesn't support javascript? It won't allow me to purchase anything!

Unless you are Alex Jones, it is probably not worth it to redesign your website to accommodate doomsday preppers. I just disabled JS and you can't even sign in to Amazon or eBay without it. Most websites are now heavily built on JS frameworks, so most projects I have worked on would not be meaningfully functional without it.

> Aren't those credit cards safe because they are electronic and todays transactions can be reversed, tracked and that fiat money are just database rows?!

No... The reversal doesn't prevent someone from buying something and taking the item. Sure you can reverse the transaction, but then the merchant takes the hit.

Credit cards are safe for the consumer because transactions can be reversed and tracked. They are not safe for the merchant.

replies(1): >>22941369 #
dylan604 ◴[22 Apr 20 02:17 UTC] No.22941369[source]
There's a difference too between allowing self-hosted JS and 3rd party JS. As a no-script user, if a site does not work with JS blocked, I will allow self-hosted JS while still blocking 3rd party. If it still doesn't work, then I consider if the site is something I'm really interested in or not. If not, tab closes. If I am, then I'll look to see if there's 3rd party stuff I trust.

In your example, allowing Amazon's JS allows the site to work at least as far as AWS Console behaves. I don't really use eBay, so I can't speak to what JS is required.

replies(1): >>22951493 #
1. RussianCow ◴[23 Apr 20 00:06 UTC] No.22951493[source]
I think most businesses would be more than happy to lose the tiny percentage of customers who use NoScript in exchange for better fraud detection.