AlexWright Posted September 13, 2020 Posted September 13, 2020 (edited) Is there a way to disable the Stripe javascript everywhere outside of the Store pages that it's needed on? Edited September 13, 2020 by AlexWright The Old Man 1
CoffeeCake Posted September 13, 2020 Posted September 13, 2020 I asked this question in the past, yet it is apparently an intentional design decision by IPS for Stripe's fraud checking. https://stripe.com/docs/disputes/prevention/advanced-fraud-detection Seems like maybe only nexus pages would be a better choice.
bfarber Posted September 14, 2020 Posted September 14, 2020 Stripe requires the javascript to be included site-wide to properly evaluate behavior for fraud. In short - no, there's no out of the box way to do this.
CoffeeCake Posted September 14, 2020 Posted September 14, 2020 4 minutes ago, bfarber said: Stripe requires the javascript to be included site-wide to properly evaluate behavior for fraud. In short - no, there's no out of the box way to do this. Can you point us to the docs for that requirement from Stripe, @bfarber? That link that I found above states: Quote The more activity Stripe’s fraud engines can observe, the better Stripe’s fraud prevention will be. Stripe therefore encourages including Stripe.js on every page of the shopping experience, not just the checkout page. This level of Stripe.js coverage gives Stripe the richest possible set of such signals to distinguish fraudulent purchasers from real customers. I'm wondering if we limit the inclusion of the Stripe.js to those pages involved in the shopping experience (looking at the /subscriptions page, anything within /store, etc.), if we'd be reducing the overhead of loading that javascript for most members in communities where the only purchasable thing is subscriptions. The vast number of people on our site will never purchase anything. I suppose the issue is what if someone puts a store block on a forum page. The Old Man 1
The Old Man Posted September 14, 2020 Posted September 14, 2020 I've raised this before as well, I like Stripe, but this 'requirement' is ridiculously OTT and potentially a privacy/tracking issue. This issue need pressing with them, honestly. It's creepy and unnecessary. In fact the rest of my website (non-IPS content/my own web pages) doesn't include these files ever throughout (1000's of pages), and they have never complained about it or stopped a client from paying via Stripe.
CoffeeCake Posted September 14, 2020 Posted September 14, 2020 I'm not sure it's an actual requirement. I've dug through their documentation and I can't find anything other than what I posted above. My guess is that IPS can't be sure what an administrator will do with the platform, and out of an abundance of caution, put the javascript on every page. I'd recommend a more liberal approach that loads the javascript on any page with nexus related content. Maybe the overhead is not worth it--not sure. If there's no block for a product on the page, etc. then don't show the javascript. However, what if someone uses Pages to make product informational pages that lead into a product in Commerce? If I were IPS, I'd say "let's just slap it on everything and call it day." The Old Man 1
The Old Man Posted September 14, 2020 Posted September 14, 2020 Yeah, a little bit more here, I think it's a recommendation not a strict mandatory requirement: Quote Include Stripe.js on every page of your site, not just the checkout page where your customer enters their payment information. By doing so, Stripe can detect anomalous behavior that may be indicative of fraud as customers browse your website—providing additional signals that increase the effectiveness of our detection. https://stripe.com/docs/radar/checklist#include-stripe-js Browsing my boring webpages or members discussing what ice cream or TV series they prefer, isn't going to identify anyone as a fraudster, poor taste perhaps. Commerce transactions, baskets, checkouts, absolutely, but not site wide, every day pages. CoffeeCake 1
The Old Man Posted September 14, 2020 Posted September 14, 2020 Actually I think, with hindsight, they're probably talking about site-wide in relation to dedicated e-commerce sites like Fatface, etc.
bfarber Posted September 15, 2020 Posted September 15, 2020 20 hours ago, The Old Man said: Yeah, a little bit more here, I think it's a recommendation not a strict mandatory requirement: https://stripe.com/docs/radar/checklist#include-stripe-js Browsing my boring webpages or members discussing what ice cream or TV series they prefer, isn't going to identify anyone as a fraudster, poor taste perhaps. Commerce transactions, baskets, checkouts, absolutely, but not site wide, every day pages. Yes, this is it right here. Perhaps my wording of "requirement" was not accurate so apologies for that. The fact is, Stripe recommends doing this, so we do it. The Old Man 1
The Old Man Posted September 15, 2020 Posted September 15, 2020 Thanks @bfarber , no need to apologise! Could we have an option to limit it to Commerce pages only?
CoffeeCake Posted September 15, 2020 Posted September 15, 2020 1 minute ago, The Old Man said: Could we have an option to limit it to Commerce pages only? It would probably need to be a limit on anything using Commerce components. So, if a block from Commerce were available somewhere on a forum page, for example, I'd say the Stripe.js call should be there too.
The Old Man Posted September 16, 2020 Posted September 16, 2020 Yes that occurred to me after posting, but it's not 100% required. It think it should be restricted to the majority of Commerce related pages. SUBRTX 1
RoleplayUK Posted January 3, 2021 Posted January 3, 2021 @bfarber I would also love the option to restrict this to commerce related pages also. Also is there an option to redirect the user to a stripe checkout page rather than using the integrated commerce one? People on our community would feel more confident in entering there details SUBRTX 1
bfarber Posted January 4, 2021 Posted January 4, 2021 23 hours ago, RoleplayUK said: @bfarber I would also love the option to restrict this to commerce related pages also. Also is there an option to redirect the user to a stripe checkout page rather than using the integrated commerce one? People on our community would feel more confident in entering there details I'm afraid this is not an option at this time, although SCA sometimes results in a page from Stripe (or I believe more accurately, the card issuer) appearing in the browser when the user checks out in order to confirm details.
The Old Man Posted January 5, 2021 Posted January 5, 2021 Interesting I found a lot of articles raising concerns about Stripe.js, one example is this article and a follow up after someone decided to see what is being sent with each request... https://mtlynch.io/stripe-recording-its-customers/ https://mtlynch.io/stripe-update/ Please IPS reconsider reducing the privacy impact of this by only loading it on the Commerce pages that need it like the checkout process. Stripe do not need to know about website visitors mouse movements and clicks to this extent, it's hugely intrusive and disproportionate which goes against the principles of GDPR and other modern privacy legislation. Our end users don't get the chance to opt in to sitewide surveillance tracking, even if they are guests and not signed in registered members they are potentially being tracked. Alternatively please give us the toggle option to disable it for ourselves if we prefer, or some template logic limiting it to Commerce or perhaps maybe a CSP that we utilise. For now I'm going to disable Stripe. It's a great product and very reliable, but global intrusive privacy implications and lack of transparency are very off putting. Many thanks. SUBRTX 1
CoffeeCake Posted January 5, 2021 Posted January 5, 2021 This looks like we could handle it with a simple plugin. Would such a plugin be okay to release on the Marketplace? SUBRTX and RoleplayUK 2
The Old Man Posted January 5, 2021 Posted January 5, 2021 (edited) Hi Paul, yes I thought the same but preferably I'd like IPS to improve the integration as stock. They removed Gravitar due to privacy concerns, this seems a worse scenario. Plus it's not a full removal, just managing the risk better IMHO. 🤔 Edited January 5, 2021 by The Old Man SUBRTX 1
bfarber Posted January 6, 2021 Posted January 6, 2021 21 hours ago, Paul E. said: This looks like we could handle it with a simple plugin. Would such a plugin be okay to release on the Marketplace? I am unaware of any reason such a plugin would not be allowed on the marketplace.
RoleplayUK Posted January 14, 2021 Posted January 14, 2021 (edited) On 1/5/2021 at 4:04 PM, Paul E. said: This looks like we could handle it with a simple plugin. Would such a plugin be okay to release on the Marketplace? @Paul E. Is this something you will be releasing? I would be very interested Edited January 14, 2021 by RoleplayUK
Recommended Posts