Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS

2016-09-05 Thread Bryan Richter
On Mon, Sep 05, 2016 at 09:30:19AM +0300, Bryan Richter wrote:
> 
> After thinking about it this weekend, I think I'm comfortable with
> putting this on the near-term roadmap.

Update: https://tree.taiga.io/project/snowdrift/issue/472


signature.asc
Description: Digital signature
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss


Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS

2016-09-05 Thread Bryan Richter
On Sat, Sep 03, 2016 at 01:23:49PM -0500, Stephen Paul Weber wrote:
> 
> Bryan wrote:
>> On Fri, Sep 02, 2016 at 11:18:43PM -0700, Aaron Wolf wrote:
>>> Update: I checked with Crowd Supply what they do…
>>> 
>>> They say they simply have a form that doesn't use any JS, they
>>> process the form data server-side and send to stripe via Stripe's
>>> API, and they never store any payment data to disk so avoid any
>>> extra compliance burden.
>> 
>> 
>> We can switch to that method eventually, of course, once we
>> feel we have the bandwidth to deal with potential complications.
>
> For what it's worth, I've done this with stripe before and never
> been faced with any challenge or request to verify my compliance. If
> they do that, it's probably only after a certain volume.

After thinking about it this weekend, I think I'm comfortable with
putting this on the near-term roadmap. For the time being, however,
I'm going to stick with their JS just so I can implement the other
stuff faster.


signature.asc
Description: Digital signature
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss


Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS

2016-09-03 Thread Stephen Paul Weber
For what it's worth, I've done this with stripe before and never been faced 
with any challenge or request to verify my compliance. If they do that, it's 
probably only after a certain volume.

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: Bryan Richter
Sent: Saturday, September 3, 2016 10:41
To: discuss@lists.snowdrift.coop
Reply To: General discussion about Snowdrift.coop
Subject: Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS

On Fri, Sep 02, 2016 at 11:18:43PM -0700, Aaron Wolf wrote:
> Update: I checked with Crowd Supply what they do…
> 
> They say they simply have a form that doesn't use any JS, they
> process the form data server-side and send to stripe via Stripe's
> API, and they never store any payment data to disk so avoid any
> extra compliance burden.

Yeah, but, they have to go through the extra bureaucracy of claiming
they don't store payment data, and that their logs don't accidentally
capture it somehow (as well as making sure that never ever happens). I
imagine it's all self-enforced, but we really don't have the bandwidth
to deal with any challenges to our claims.

We can switch to that method eventually, of course, once we feel we
have the bandwidth to deal with potential complications.
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss


Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS

2016-09-03 Thread Aaron Wolf
Update: I checked with Crowd Supply what they do…

They say they simply have a form that doesn't use any JS, they process
the form data server-side and send to stripe via Stripe's API, and they
never store any payment data to disk so avoid any extra compliance burden.

This approach would work with NoScript even! I don't know what the
issues would be, and I could imagine that doing this delays our
"take-my-money" immediate functional launch, but I'll leave that
determination to Bryan. If this would work, it seems the full solution
with tons of advantages…



signature.asc
Description: OpenPGP digital signature
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss


Re: [Snowdrift-discuss] Using Stripe.js will break LibreJS

2016-09-01 Thread Bryan Richter
On Thu, Sep 01, 2016 at 05:15:48PM +0300, Bryan Richter wrote:
> 
> I think we need to bend on this one, accept the realities of 2016, and
> use stripe.js anyway. We can try to provide advanced warning to
> LibreJS/noscript fans if it's truly necessary.

Also, it would be quite simple to restrict inclusion of stripe.js on
to just a few page(s). Then we can say "Heads up, here's a thing
that's about to happen" when we send people there.

It should only be needed when a person adds or modifies their payment
info. The system provides a token we can use on a recurring basis to
do transactions later.


signature.asc
Description: Digital signature
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss