#Ludvig-secret

The client secret is safe to be exposed in that URL

It is your secret key that you used to create the payment intent that needs to stay secret

But why is it exposed in the url? Is stripe doing it for some reason?

Unsure on the exact design decisions behind that. Do you have worries about that being exposed like that or are you just curious as to why?

Well I'm not exactly worried as I believe you make wise security decisions, but yes, a bit curious to why it's there

Does it have something to do with stripe resolving the payment by redirecting to that url?

Unsure at the moment. Will see what I can find about the return URL

Hello!

Did you find anything Pompey? 🙂

Hey 🙂

The client secret is included in the URL to make it easier for you to link the request to your server back to the payment.

Have I understood it right, that it could be used if I want to show a receipt, then I can take the return client secret and see which order it was about? Or to continue on the same order if the payment was failed?

Could you give some other examples when this is useful as I'm not entirely sure for what this could be used

It's also useful if the payment fails and you want to have the customer attempt payment again. You don't have to fetch the client secret from your server again.

Your understanding is also correct. You can use it to fetch the Payment Intent, update your backend, etc.

If it wasn't in the URL how would you know which payment the request was for? You could track it outside of Stripe using cookies or something like that, but doing so would be more fragile and error prone, so we provide the client secret in the URL to make it easy to link everything together.

Yeah this was kind of what I was wondering about, what is this in the URL and why is it there?

I was thinking if this could be done under the hood somehow and if it was a good idea to expose like that but yeah I'm of course trusting your decisions over at stripe.

Is it that the client data/state/cookies could be wiped and the URL might be the only guaranteed place for something like this to live right after a redirect?

Yes. Or maybe there are no client data/state/cookies at all.

Can I ask about the motivation behind your questions? Are you concerned about something? Having an issue implementing something?

Alright, well I think I understand why it's there now. Thanks for answering the questions! 🙂

Sure. I just noticed some stuff in the url after a redirect and wondered about the purpose of it. It felt weird and bloaty that there was stuff in my websites URL that I didn't put there. I never read anything about stripe doing this, although a look at the url kinda makes it obvious where it's coming from, but yeah now I understand the reason for it, and as long as it's safe to be exposed like this then it's all good 🙂

I think you can close the thread 😀 👍

Sounds good! Let us know if you need anything else!

Hey actually

There is one more thing

What's up?

In this thread: 918175399467417692

I made a reproduction of the payment element and themes that turned out to apparently be a bug in chrome, that stripe devs then forwarded to the chromium devs. Hanzo mentioned there's a ticket on it somewhere.
I wonder if you know anything about this bug getting anywhere? If there's somewhere I could watch this myself, I'm curious to what it is and when it could be resolved? Should I tag Hanzo or send him a pm about it instead since he knows what I'm talking about?

Is this the one related to the next-themes package?

yes

I just wonder what the issue is, what's going on, when it will be resolved

it's just a minor issue but since I found it I'm still interested

if there's some way for me to watch the bug without having to bother you that would be nice, so if you have a link or if you have an update on how it's going:)

It looks like it's probably a Chrome bug. We're tracking it internally, but we haven't been able to prioritize it yet due to the holidays and you're the only person who's reported it so far. Would you be able to provide a minimal test case that consistently reproduces the issue we can link to in the issue?

Is this minimal enough? https://github.com/LB22/stripe-repro-payment-element

Oh so it's still only internally? Yeah I understand it's no high priority.
I was just thinking if it had been posted to the chrome devs, then maybe there was an open ticket I could watch somewhere 😛

There's not Chrome bug for it that I'm aware of. As far as a minimal reproduction, I mean something we can click on and immediately see the issue. This looks like something we would need to install and run locally.

So you want something like a codesandbox or jsfiddle?

That would be fine, yep!

https://codesandbox.io/s/nextjs-stripe-paymentelement-forked-vr3v2?file=/styles/_checkout.scss

Is this one good enough?

Hm, I'm unable to reproduce there.

Are you running a chromium browser?

Yep, Chrome 96.0.4664.110.

Maybe you have the experimental Auto Dark Mode for Web Contents (#enable-force-dark) enabled under chrome://flags/

Nope, that's set to default.

And I'm in light mode anyway 🙂

Well here's the thing, it needs to be refreshed while in dark mode

and then switch it over to light

If you have light mode on, then it will work as expected

https://gyazo.com/a97b8160cfa0a48c7240a1fb8bc7e0d5

https://gyazo.com/3e458ef0df50793a6675652500785d10

Wait, so it has to start in dark mode? I've switched back and forth a bunch of times and it's fine, but I always started in light mode.

Yup exactly

See the gifs I just sent

Ah, there we go.

Alright, so you see the problem now 😛 Again, I understand it's no high priority, hence it would be nice if I could watch it myself. But it does break the UI design for chromium browsers, which is not too nice. Just wonder where the problem lies and if I could help somehow:)

Updated our internal bug report with those reproduction steps and that link, thank you!

Providing that test case and info helps. 🙂

Awesome! So it's getting somewhere 😀

Do you mind me asking in #dev-help for an update on this perhaps next week, just to see if something has happened?

If you want to receive updates go to https://support.stripe.com/contact/email and fill out the form to create a support ticket. Provide details about your issue and mention me (Rubeus) in your message. Let me know when you've submitted the form so I can grab your ticket and follow up when there's news.

Cool! I'll fill it out now

Alright, done. I mentioned you in there. I hope it's enough

Got it and replied!

You're all set.

Thanks a lot for everything! You can close this thread now 🙂