Lack of Cross-Origin-Related HTTP Security Headers
dbosompem opened this issue · 18 comments
When using <script src="https://js.stripe.com/v3" async></script> to embed Stripe in a website as detailed in your README here I would hope that Stripe is following best practices for resources that are consumed by other origins. They should be responding with a Cross-Origin-Resource-Policy so that sites embedding stripe can start using the following header on their main document: Cross-Origin-Embedder-Policy: require-corp.
Environment
No response
Reproduction
No response
Hi @dbosompem, thanks for filing this. We're aware of the lack of CORP headers on js.stripe.com/v3 assets, but we don't yet have any timeline for when we will add them. We're tracking this issue internally and will post updates here if we have anything to share.
For our knowledge, can we ask what features you are using on a page with Stripe.js that require cross-origin isolation? e.g. SharedArrayBuffer, performance, etc. Is it feasible for you to load Stripe.js on a separate page that doesn't make use of these features?
@madhav-stripe Thank you for the update, I'm a part of the same organization as @dbosompem. We don't have current needs for any of the API's locked behind COEP but are just trying to abide by best practices while living in a world where Spectre exists.
There is also talk of eventually browsers will begin to require pages to opt into cross-origin isolation as detailed here and we are trying to be prepared.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Chrome 110 ships with credentialless attribute for the iframe. All you have to do is to decorate your iframe with that.
Any updates on this ? @madhav-stripe
We do not currently have any updates to share.
There is no Cross-Origin-Resource-Policy defined in stripe url https://js.stripe.com/v3/xxxxxxxxxxxx
Cross-Origin-Resource-Policy cross-origin
I'm needing to use SharedArrayBuffer in various components that may or may not be used on the same page as components that use Stripe.
It'd be great if we could get these headers added or potentially as "credentialless" to the iframe stripe controls.
Any updates on this? We need to use SharedArrayBuffer
This is not a stale issue, this should be reopened.
I also would like resolution on this issue.
Any way this can be prioritized?
I was able to workaround using @tylerzey lead, hopefully this helps someone else
window.addEventListener('load', (e) => {
const frames = document.getElementsByTagName('iframe')
for (let i=0; i<frames.length; i++) {
// @ts-ignore
frames[i].credentialless = true
frames[i].src = frames[i].src
}
})
Hey folks, just wanted to share here that we are investigating support for COEP/COOP/CORP internally, but there are no specific plans to enable this in the near future. Additionally, this is not a limitation/feature of this @stripe/stripe-js helper module but of the underlying Stripe.js it loads for you.
I would recommend that you write in to support to share your use case & need for supporting this configuration in a way that can be tied to your accounts: https://support.stripe.com/contact
Thank you @jronnen7 for sharing that potential workaround! I hope that helps others, too.
We also need this. It's pretty sad this has been in a holding pattern for over a year: we should be able to use CSP on our site without things breaking or needing workarounds (iframe credentialless) that don't work in every browser.
To be clear, the only workaround doesn't work in Safari or Firefox which is unworkable for us: https://developer.mozilla.org/en-US/docs/Web/Security/IFrame_credentialless#browser_compatibility
It looks like we'll be moving to Adyen because Stripe isn't responding to this issue. Here's my thread with support after signing into https://support.stripe.com/contact and reporting there:
Hello,
I've flagged your request about needing COEP/COOP/CORP in stripe-js to the relevant team. As the Github issue mentions though, unfortunately we don't have any timeline that we can share about when this will be supported.
We will reach out to let you know when we implement support for COEP/COOP/CORP in stripe-js.
Best,
Alex
--------------- Original Message ---------------
From: [max@xxx.net]
Sent: 10/20/2024, 4:46 AM
To: support@stripe.com
Subject: We need support for COEP/COOP/CORP in stripe-js
We need support for COEP/COOP/CORP in stripe-js in order to continue to use it with our site securely, per #417
So, to be clear my options are:
- wait for you to release an update, with no certainty of when this will happen
- ditch stripe for a competitor
- lower the security of our site.
This is very frustrating as you’ve known about this issue for well over a year. I haven’t had this type of issue with any other third party library.
Can you please escalate this and make it a priority?
If not, we may need to go with #2 and I’m sure we’re not the only ones. Thank you!
Regards,
Max Carlson
Hi Alex,
I appreciate you being clear and transparent about this!
Unfortunately, It looks like we need to move to Adyen as they seem to take these kinds of issues seriously and respond within a month, not years:
https://github.com/Adyen/adyen-web/issues?q=is%3Aissue+content+security+policy
Adyen/adyen-web#2336
Thank you!
Regards,
Max Carlson
On Oct 22, 2024, at 6:37 PM, Stripe Support support@stripe.com wrote:
Hello,
Thank you for sharing your concerns. I completely understand how frustrating this situation is for you.
Again, I apologize but we're truly unable to commit to any timeline to support COEP/COOP/CORP in stripe-js at the moment and you might want to consider that this feature is unlikely to be available in the near future.
Best,
Alex
Can this be reopened? It is still an issue.