Jump to content

[Commerce] Stripe JS


AlexWright
 Share

Recommended Posts

4 minutes ago, bfarber said:

Stripe requires the javascript to be included site-wide to properly evaluate behavior for fraud. In short - no, there's no out of the box way to do this.

Can you point us to the docs for that requirement from Stripe, @bfarber? That link that I found above states:

Quote

The more activity Stripe’s fraud engines can observe, the better Stripe’s fraud prevention will be. Stripe therefore encourages including Stripe.js on every page of the shopping experience, not just the checkout page. This level of Stripe.js coverage gives Stripe the richest possible set of such signals to distinguish fraudulent purchasers from real customers.

I'm wondering if we limit the inclusion of the Stripe.js to those pages involved in the shopping experience (looking at the /subscriptions page, anything within /store, etc.), if we'd be reducing the overhead of loading that javascript for most members in communities where the only purchasable thing is subscriptions. The vast number of people on our site will never purchase anything. I suppose the issue is what if someone puts a store block on a forum page.

Link to comment
Share on other sites

I've raised this before as well, I like Stripe, but this 'requirement' is ridiculously OTT and potentially a privacy/tracking issue. This issue need pressing with them, honestly. It's creepy and unnecessary. In fact the rest of my website (non-IPS content/my own web pages) doesn't include these files ever throughout (1000's of pages), and they have never complained about it or stopped a client from paying via Stripe.

Link to comment
Share on other sites

I'm not sure it's an actual requirement. I've dug through their documentation and I can't find anything other than what I posted above.

My guess is that IPS can't be sure what an administrator will do with the platform, and out of an abundance of caution, put the javascript on every page. I'd recommend a more liberal approach that loads the javascript on any page with nexus related content. Maybe the overhead is not worth it--not sure. If there's no block for a product on the page, etc. then don't show the javascript. However, what if someone uses Pages to make product informational pages that lead into a product in Commerce?

If I were IPS, I'd say "let's just slap it on everything and call it day."

Link to comment
Share on other sites

Yeah, a little bit more here, I think it's a recommendation not a strict mandatory requirement:

Quote

Include Stripe.js on every page of your site, not just the checkout page where your customer enters their payment information. By doing so, Stripe can detect anomalous behavior that may be indicative of fraud as customers browse your website—providing additional signals that increase the effectiveness of our detection.

https://stripe.com/docs/radar/checklist#include-stripe-js

Browsing my boring webpages or members discussing what ice cream or TV series they prefer, isn't going to identify anyone as a fraudster, poor taste perhaps. Commerce transactions, baskets, checkouts, absolutely, but not site wide, every day pages.

 

Link to comment
Share on other sites

20 hours ago, The Old Man said:

Yeah, a little bit more here, I think it's a recommendation not a strict mandatory requirement:

https://stripe.com/docs/radar/checklist#include-stripe-js

Browsing my boring webpages or members discussing what ice cream or TV series they prefer, isn't going to identify anyone as a fraudster, poor taste perhaps. Commerce transactions, baskets, checkouts, absolutely, but not site wide, every day pages.

 

Yes, this is it right here. Perhaps my wording of "requirement" was not accurate so apologies for that. The fact is, Stripe recommends doing this, so we do it. 

Link to comment
Share on other sites

  • 3 months later...

@bfarber I would also love the option to restrict this to commerce related pages also.

Also is there an option to redirect the user to a stripe checkout page rather than using the integrated commerce one? 

People on our community would feel more confident in entering there details

Link to comment
Share on other sites

23 hours ago, RoleplayUK said:

@bfarber I would also love the option to restrict this to commerce related pages also.

Also is there an option to redirect the user to a stripe checkout page rather than using the integrated commerce one? 

People on our community would feel more confident in entering there details

I'm afraid this is not an option at this time, although SCA sometimes results in a page from Stripe (or I believe more accurately, the card issuer) appearing in the browser when the user checks out in order to confirm details.

Link to comment
Share on other sites

Interesting I found a lot of articles raising concerns about Stripe.js, one example is this article and a follow up after someone decided to see what is being sent with each request...

https://mtlynch.io/stripe-recording-its-customers/

https://mtlynch.io/stripe-update/
 

Please IPS reconsider reducing the privacy impact of this by only loading it on the Commerce pages that need it like the checkout process. Stripe do not need to know about website visitors mouse movements and clicks to this extent, it's hugely intrusive and disproportionate which goes against the principles of GDPR and other modern privacy legislation. Our end users don't get the chance to opt in to sitewide surveillance tracking, even if they are guests and not signed in registered members they are potentially being tracked. 

Alternatively please give us the toggle option to disable it for ourselves if we prefer, or some template logic limiting it to Commerce or perhaps maybe a CSP that we utilise.

For now I'm going to disable Stripe. It's a great product and very reliable, but global intrusive privacy implications and lack of transparency are very off putting.

Many thanks.

Link to comment
Share on other sites

Hi Paul, yes I thought the same but preferably I'd like IPS to improve the integration as stock. They removed Gravitar due to privacy concerns, this seems a worse scenario. Plus it's not a full removal, just managing the risk better IMHO. 🤔

Edited by The Old Man
Link to comment
Share on other sites

21 hours ago, Paul E. said:

This looks like we could handle it with a simple plugin. Would such a plugin be okay to release on the Marketplace?

I am unaware of any reason such a plugin would not be allowed on the marketplace.

Link to comment
Share on other sites

  • 2 weeks later...
On 1/5/2021 at 4:04 PM, Paul E. said:

This looks like we could handle it with a simple plugin. Would such a plugin be okay to release on the Marketplace?

@Paul E. Is this something you will be releasing? I would be very interested

Edited by RoleplayUK
Link to comment
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...