Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm curious about how this change handles cross-domain security. Is there never any sensitive data in Stripe.js' JSONP responses? Or do y'all have a mechanism for preventing a malicious 3rd party site from loading a script pointing at one of your JSONP urls?


It shouldn't be any different than the existing functionality. stripe.js is solely responsible for turning credit card information into one-use tokens, so that CC information never hits your servers. That token is then used to communicate with Stripe using a private shared key (kept serverside, never exposed on the client) to create a Customer record, which is then used to conduct the actual money parts of the transaction.

So, a malicious party could create tokens with CC information, but without the private key they'd have no way to use them.


Yeah, that's right. It's also worth emphasizing that the Stripe API doesn't support sessions, and so isn't vulnerable to standard CSRF attacks.


This is only an issue if you use cookies to authenticate JSONP requests, which you shouldn't do.

I wrote a summary of the issues with JSONP on StackOverflow awhile ago: http://stackoverflow.com/a/1392153




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: