Jump to content

[Commerce] Stripe JS

AlexWright

By AlexWright
in General Questions

 Share

Recommended Posts

CoffeeCake Veteran

CoffeeCake

Posted
Posted
4 minutes ago, bfarber said:

Stripe requires the javascript to be included site-wide to properly evaluate behavior for fraud. In short - no, there's no out of the box way to do this.

Can you point us to the docs for that requirement from Stripe, @bfarber? That link that I found above states:

Quote

The more activity Stripe’s fraud engines can observe, the better Stripe’s fraud prevention will be. Stripe therefore encourages including Stripe.js on every page of the shopping experience, not just the checkout page. This level of Stripe.js coverage gives Stripe the richest possible set of such signals to distinguish fraudulent purchasers from real customers.

I'm wondering if we limit the inclusion of the Stripe.js to those pages involved in the shopping experience (looking at the /subscriptions page, anything within /store, etc.), if we'd be reducing the overhead of loading that javascript for most members in communities where the only purchasable thing is subscriptions. The vast number of people on our site will never purchase anything. I suppose the issue is what if someone puts a store block on a forum page.

The Old Man Grand Master

The Old Man

Posted
Posted

I've raised this before as well, I like Stripe, but this 'requirement' is ridiculously OTT and potentially a privacy/tracking issue. This issue need pressing with them, honestly. It's creepy and unnecessary. In fact the rest of my website (non-IPS content/my own web pages) doesn't include these files ever throughout (1000's of pages), and they have never complained about it or stopped a client from paying via Stripe.

CoffeeCake Veteran

CoffeeCake

Posted
Posted

I'm not sure it's an actual requirement. I've dug through their documentation and I can't find anything other than what I posted above.

My guess is that IPS can't be sure what an administrator will do with the platform, and out of an abundance of caution, put the javascript on every page. I'd recommend a more liberal approach that loads the javascript on any page with nexus related content. Maybe the overhead is not worth it--not sure. If there's no block for a product on the page, etc. then don't show the javascript. However, what if someone uses Pages to make product informational pages that lead into a product in Commerce?

If I were IPS, I'd say "let's just slap it on everything and call it day."

The Old Man Grand Master

The Old Man

Posted
Posted

Yeah, a little bit more here, I think it's a recommendation not a strict mandatory requirement:

Quote

Include Stripe.js on every page of your site, not just the checkout page where your customer enters their payment information. By doing so, Stripe can detect anomalous behavior that may be indicative of fraud as customers browse your website—providing additional signals that increase the effectiveness of our detection.

https://stripe.com/docs/radar/checklist#include-stripe-js

Browsing my boring webpages or members discussing what ice cream or TV series they prefer, isn't going to identify anyone as a fraudster, poor taste perhaps. Commerce transactions, baskets, checkouts, absolutely, but not site wide, every day pages.

 

bfarber Grand Master

bfarber

Posted
Posted
20 hours ago, The Old Man said:

Yeah, a little bit more here, I think it's a recommendation not a strict mandatory requirement:

https://stripe.com/docs/radar/checklist#include-stripe-js

Browsing my boring webpages or members discussing what ice cream or TV series they prefer, isn't going to identify anyone as a fraudster, poor taste perhaps. Commerce transactions, baskets, checkouts, absolutely, but not site wide, every day pages.

 

Yes, this is it right here. Perhaps my wording of "requirement" was not accurate so apologies for that. The fact is, Stripe recommends doing this, so we do it. 

CoffeeCake Veteran

CoffeeCake

Posted
Posted
1 minute ago, The Old Man said:

Could we have an option to limit it to Commerce pages only?

It would probably need to be a limit on anything using Commerce components. So, if a block from Commerce were available somewhere on a forum page, for example, I'd say the Stripe.js call should be there too.

  • 3 months later...
RoleplayUK Explorer

RoleplayUK

Posted
Posted

@bfarber I would also love the option to restrict this to commerce related pages also.

Also is there an option to redirect the user to a stripe checkout page rather than using the integrated commerce one? 

People on our community would feel more confident in entering there details

bfarber Grand Master

bfarber

Posted
Posted
23 hours ago, RoleplayUK said:

@bfarber I would also love the option to restrict this to commerce related pages also.

Also is there an option to redirect the user to a stripe checkout page rather than using the integrated commerce one? 

People on our community would feel more confident in entering there details

I'm afraid this is not an option at this time, although SCA sometimes results in a page from Stripe (or I believe more accurately, the card issuer) appearing in the browser when the user checks out in order to confirm details.

The Old Man Grand Master

The Old Man

Posted
Posted

Interesting I found a lot of articles raising concerns about Stripe.js, one example is this article and a follow up after someone decided to see what is being sent with each request...

https://mtlynch.io/stripe-recording-its-customers/

https://mtlynch.io/stripe-update/
 

Please IPS reconsider reducing the privacy impact of this by only loading it on the Commerce pages that need it like the checkout process. Stripe do not need to know about website visitors mouse movements and clicks to this extent, it's hugely intrusive and disproportionate which goes against the principles of GDPR and other modern privacy legislation. Our end users don't get the chance to opt in to sitewide surveillance tracking, even if they are guests and not signed in registered members they are potentially being tracked. 

Alternatively please give us the toggle option to disable it for ourselves if we prefer, or some template logic limiting it to Commerce or perhaps maybe a CSP that we utilise.

For now I'm going to disable Stripe. It's a great product and very reliable, but global intrusive privacy implications and lack of transparency are very off putting.

Many thanks.

The Old Man Grand Master

The Old Man

Posted
Posted (edited)

Hi Paul, yes I thought the same but preferably I'd like IPS to improve the integration as stock. They removed Gravitar due to privacy concerns, this seems a worse scenario. Plus it's not a full removal, just managing the risk better IMHO. 🤔

Edited by The Old Man
bfarber Grand Master

bfarber

Posted
Posted
21 hours ago, Paul E. said:

This looks like we could handle it with a simple plugin. Would such a plugin be okay to release on the Marketplace?

I am unaware of any reason such a plugin would not be allowed on the marketplace.

  • 2 weeks later...
RoleplayUK Explorer

RoleplayUK

Posted
Posted (edited)
On 1/5/2021 at 4:04 PM, Paul E. said:

This looks like we could handle it with a simple plugin. Would such a plugin be okay to release on the Marketplace?

@Paul E. Is this something you will be releasing? I would be very interested

Edited by RoleplayUK
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...