-
Notifications
You must be signed in to change notification settings - Fork 405
Removed requirement to load JavaScript from js.braintreegateway.com #259
Removed requirement to load JavaScript from js.braintreegateway.com #259
Conversation
package.json
Outdated
@@ -32,6 +32,7 @@ | |||
"@types/papaparse": "4.1.33", | |||
"@types/webcrypto": "^0.0.28", | |||
"angular2-template-loader": "^0.6.2", | |||
"braintree-web-drop-in": "^1.13.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be a regular dependency and not a dev?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess? The JS gets copied over during build time. I'm happy to update it if you want
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The qrious
library you are modeling this after is in dependencies. please add it there too.
I notice that the dropin is now unminified and 600kb in size. That's pretty large vs before. Any way we can get a min version? |
Seems reasonable, I asked here braintree/braintree-web-drop-in#233 (comment) |
After this change goes live, I believe the vault's CSP header could be updated: Current:
|
That discussion with braintree about injecting iframes and scripts brought up some good points. I wonder how hard it would be to move all payment processing to a standalone page that is outside of the vault. Moving it out not only reduces the attack surface of the vault, but would also allow for a simpler and more robust CSP header |
A possible bonus to moving purchase outside of the vault: You don't need the user to re-type their password to unlock their vault if they clicked purchase from the browser extension. Right now, as a free user, if I click 'Premium Membership' from the browser extension, then I am brought to Unless there are some technical hurdles I'm not aware of, this seems like a win-win. Not only is security improved my removing 3rd party code, but its one less step before getting a user to the purchase page, theoretically improving conversion rates |
There are future plans to create a "billing portal" that is separate from the web vault, however, for convenience reasons there will likely always be the ability to make purchases from directly within the web vault as well. |
Braintree was kind enough to supply a built version of their drop-in library in their node package via braintree/braintree-web-drop-in#233
By pulling this library in through a static build process, it removes the run-time dependency braintreegateway.com also reducing the attack surface of the vault