For those that are working with SPAs or similar and are not overly affected by fraud, I've put together a simple example showing how to sandbox Stripe.js code and unload it when you're done. No secondary domains, no reverse engineering of the Stripe.js library. It also maintains a reasonable level of trust in Stripe, who deserve it.