Richard Stallman <r...@gnu.org> writes: > Wow! If that is what it might be, it would be great news. But we had > better verify it carefully, because it sounds too good to be true. > Would someone like to check the details thoroughly?
I'm afraid it is, indeed, too good to be true. The README at https://github.com/stripe/stripe-js lists: "Note: To be PCI compliant, you must load Stripe.js directly from https://js.stripe.com. You cannot include it in a bundle or host it yourself. This package wraps the global Stripe function provided by the Stripe.js script as an ES module." Loading https://js.stripe.com/v3/ (the latest version) in a browser yields a minified blob of JS. At the very end, it has an error message, "It looks like Stripe.js was loaded more than one time. Please only load it once per page." Searching this string on Stripe's GitHub organization yields no matches (indeed, searching all of GitHub yields no matches). The best you could do is mitigate some of the risks, such as detailed in https://mtlynch.io/stripe-recording-its-customers/ but unfortunately that carries additional risks, such as "Stripe clients bear the cost of chargebacks against their application, so they should decide how much information to share with Stripe to reduce those chargebacks." -- Hendursaga
