which is actually crazy, because if I were to design a malicious ad that gets in... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		pilif on Dec 29, 2011 \| parent \| context \| favorite \| on: How to setup Stripe payments with node.js which is actually crazy, because if I were to design a malicious ad that gets included on the page where you have your stripe form on, it would be as easy for me to extract the values the user has entered as it will be for stripe.js. So - even if PCI compliance doesn't require it, I would make sure that the page that the form is on doesn't have any JS dependency that is hosted on a server I don't control. Longer term, it would probably wise for stripe to host the form in an iframe.

zrail on Dec 29, 2011 | [–]

Oh definitely, for my purposes stripe is on a separate page that only has stuff that I host within my app.

thibaut_barrere on Dec 29, 2011 | [–]

I will definitely put this script (recurly.js in my case) on a dedicated page with no third parties included.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact