If you're bringing down CSS from a third party, you trust them not to deface you. If it's JS, you trust them with essentially everything. And you're trusting that none them are hacked.https://twitter.com/hanno/status/965280746876305409 …
While maybe needed because they designed it insecurely, this is not legitimate. Services like Stripe should be accessed via a fixed https-based API allowing you to copy their js locally or write your own.
-
-
I don't understand how security fixes could be quickly distributed that way. And it's not reasonable to expect coordination with all downstream embedders. Fundamentally, a website does need to be able to get "the latest code" from Stripe without much hassle.
-
That's indicative of an API design problem.
-
I think it's a fundamental problem, and I don't know what API design could do to fix it.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.