samccn-sri | Stripe Developers | Page 1

vestal moon Jan 12, 2022, 12:08 AM

#

@warped void no, that's impossible and it wouldn't make sense in this case.

#

we control Stripe.js, it comes from our servers, we change it regularly, sometimes dozens of times per day, so SRI can't work

warped void Jan 12, 2022, 12:08 AM

#

yeah i get that the library is updated daily - is there a way to pin the version?

vestal moon Jan 12, 2022, 12:09 AM

#

no there isn't, we don't want anyone to use an old version, if you tried the calls woudl immediately all fail

#

you have to always use the latest version for both security and PCI reasons

warped void Jan 12, 2022, 12:10 AM

#

is there any way to get informed about library updates?

vestal moon Jan 12, 2022, 12:10 AM

#

there is not no. You have to understand that we control and deploy code constantly, you have no way to control the version. We're a pretty large financial company and we test Stripe.js thoroughly, there's no reason to need to pin to a specific version

warped void Jan 12, 2022, 12:12 AM

#

yeah i get it... just that a particular client is hellbent on us having a high mozilla observatory security score https://observatory.mozilla.org/

Mozilla Observatory

#

they ding you a lot of points for not using SRI

#

guess theres nothing that can be done though

vestal moon Jan 12, 2022, 12:12 AM

#

yeah unfortunately nothing can be done

warped void Jan 12, 2022, 12:12 AM

#

ok thanks for your time

vestal moon Jan 12, 2022, 12:14 AM

#

Sure, sorry I couldn't help more 😦

warped void Jan 12, 2022, 12:14 AM

#

no worries, not your fault 🙂

#samccn-sri