Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS
On Mon, Sep 05, 2016 at 09:30:19AM +0300, Bryan Richter wrote: > > After thinking about it this weekend, I think I'm comfortable with > putting this on the near-term roadmap. Update: https://tree.taiga.io/project/snowdrift/issue/472 signature.asc Description: Digital signature ___ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss
Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS
On Sat, Sep 03, 2016 at 01:23:49PM -0500, Stephen Paul Weber wrote: > > Bryan wrote: >> On Fri, Sep 02, 2016 at 11:18:43PM -0700, Aaron Wolf wrote: >>> Update: I checked with Crowd Supply what they do… >>> >>> They say they simply have a form that doesn't use any JS, they >>> process the form data server-side and send to stripe via Stripe's >>> API, and they never store any payment data to disk so avoid any >>> extra compliance burden. >> >> >> We can switch to that method eventually, of course, once we >> feel we have the bandwidth to deal with potential complications. > > For what it's worth, I've done this with stripe before and never > been faced with any challenge or request to verify my compliance. If > they do that, it's probably only after a certain volume. After thinking about it this weekend, I think I'm comfortable with putting this on the near-term roadmap. For the time being, however, I'm going to stick with their JS just so I can implement the other stuff faster. signature.asc Description: Digital signature ___ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss
Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS
For what it's worth, I've done this with stripe before and never been faced with any challenge or request to verify my compliance. If they do that, it's probably only after a certain volume. Sent from my BlackBerry 10 smartphone. Original Message From: Bryan Richter Sent: Saturday, September 3, 2016 10:41 To: discuss@lists.snowdrift.coop Reply To: General discussion about Snowdrift.coop Subject: Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS On Fri, Sep 02, 2016 at 11:18:43PM -0700, Aaron Wolf wrote: > Update: I checked with Crowd Supply what they do… > > They say they simply have a form that doesn't use any JS, they > process the form data server-side and send to stripe via Stripe's > API, and they never store any payment data to disk so avoid any > extra compliance burden. Yeah, but, they have to go through the extra bureaucracy of claiming they don't store payment data, and that their logs don't accidentally capture it somehow (as well as making sure that never ever happens). I imagine it's all self-enforced, but we really don't have the bandwidth to deal with any challenges to our claims. We can switch to that method eventually, of course, once we feel we have the bandwidth to deal with potential complications. ___ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss
Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS
On Fri, Sep 02, 2016 at 11:18:43PM -0700, Aaron Wolf wrote: > Update: I checked with Crowd Supply what they do… > > They say they simply have a form that doesn't use any JS, they > process the form data server-side and send to stripe via Stripe's > API, and they never store any payment data to disk so avoid any > extra compliance burden. Yeah, but, they have to go through the extra bureaucracy of claiming they don't store payment data, and that their logs don't accidentally capture it somehow (as well as making sure that never ever happens). I imagine it's all self-enforced, but we really don't have the bandwidth to deal with any challenges to our claims. We can switch to that method eventually, of course, once we feel we have the bandwidth to deal with potential complications. signature.asc Description: Digital signature ___ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss
Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS
Update: I checked with Crowd Supply what they do… They say they simply have a form that doesn't use any JS, they process the form data server-side and send to stripe via Stripe's API, and they never store any payment data to disk so avoid any extra compliance burden. This approach would work with NoScript even! I don't know what the issues would be, and I could imagine that doing this delays our "take-my-money" immediate functional launch, but I'll leave that determination to Bryan. If this would work, it seems the full solution with tons of advantages… signature.asc Description: OpenPGP digital signature ___ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss
Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS
On 09/01/2016 07:22 AM, Bryan Richter wrote: > On Thu, Sep 01, 2016 at 05:15:48PM +0300, Bryan Richter wrote: >> >> I think we need to bend on this one, accept the realities of 2016, and >> use stripe.js anyway. We can try to provide advanced warning to >> LibreJS/noscript fans if it's truly necessary. > > Also, it would be quite simple to restrict inclusion of stripe.js on > to just a few page(s). Then we can say "Heads up, here's a thing > that's about to happen" when we send people there. > > It should only be needed when a person adds or modifies their payment > info. The system provides a token we can use on a recurring basis to > do transactions later. > > Agreed about this compromise, but we should also note that Paypal may work without JS (not sure), and we could investigate Dwolla and others. So, for the time where it's just one project: * First we can work with Stripe's non-free JS reasonably sandboxed to not interfere where it isn't needed * Next, after "take my money" start, we can consider other payment options since no splitting of payments is needed when it's just one project * Long-term, we can consider what to do, whether we can feasibly manage with multiple processors for multi-project situation or deal with the compliance thing. Overall, we can aim to get help from the community at that point. I think making this compromise and communicating it is the right decision. signature.asc Description: OpenPGP digital signature ___ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss
Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS
On Thu, Sep 01, 2016 at 05:15:48PM +0300, Bryan Richter wrote: > > I think we need to bend on this one, accept the realities of 2016, and > use stripe.js anyway. We can try to provide advanced warning to > LibreJS/noscript fans if it's truly necessary. Also, it would be quite simple to restrict inclusion of stripe.js on to just a few page(s). Then we can say "Heads up, here's a thing that's about to happen" when we send people there. It should only be needed when a person adds or modifies their payment info. The system provides a token we can use on a recurring basis to do transactions later. signature.asc Description: Digital signature ___ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss