在Cordova上使用条带检出的安全性问题

时间:2021-12-25 15:07:37

I'm looking into using Stripe.js for payment processing in a mobile web application wrapped in Cordova. According to the Stripe documentation all checkout pages should be served over https. Since Cordova will technically be serving these pages locally in a webview, are there any security concerns I should worry about?

我正在研究使用Stripe.js在Cordova中包含的移动Web应用程序中进行支付处理。根据Stripe文档,所有结帐页面都应通过https提供。由于Cordova在技术上将在webview中本地提供这些页面,我是否应该担心任何安全问题?

Note: I will still be using https to submit the tokenized card details from Stripe to my remote API server to actually complete the charge.

注意:我仍然会使用https将Stripe中的标记化卡详细信息提交到我的远程API服务器以实际完成收费。

2 个解决方案

#1


28  

I'm an engineer at Stripe.

我是Stripe的工程师。

Cordova/PhoneGap isn't a platform we actively support with Stripe.js, but after talking it over with the team, we have two suggestions for how to mitigate potential vulnerabilities:

Cordova / PhoneGap不是我们积极支持Stripe.js的平台,但在与团队讨论之后,我们就如何减轻潜在漏洞提出了两点建议:

  1. Configure your Domain Whitelist sensibly, to limit the possibility of other scripts maliciously sending payment data to an untrusted third party. You should only need to add https://api.stripe.com to support communicating with Stripe.
  2. 明智地配置域白名单,以限制其他脚本恶意将付款数据发送给不受信任的第三方的可能性。您只需添加https://api.stripe.com即可支持与Stripe通信。
  3. Always load the latest version of Stripe.js from our servers, per the Stripe.js documentation. This will ensure that you're always up-to-date with any bugfixes and patches we add to Stripe.js
  4. 始终根据Stripe.js文档从我们的服务器加载最新版本的Stripe.js。这将确保您始终了解我们添加到Stripe.js的任何错误修正和补丁

Beyond that, I believe your exposure is similar to using Stripe.js in a normal webpage, loaded in-browser.

除此之外,我相信您的曝光类似于在浏览器中加载的普通网页中使用Stripe.js。

(I should note that I assume you're using Stripe.js and not Stripe Checkout—the latter would require the https://checkout.stripe.com domain to be added to the domain whitelist, as well.)

(我应该注意,我假设您使用的是Stripe.js而不是Stripe Checkout - 后者需要将https://checkout.stripe.com域添加到域白名单中。)

#2


1  

I posted an answer related to this in a similar question. If you control a custom API, give it https protection and send your whole checkout form down into an iframe (source set to your API endpoint).

我在类似的问题中发布了与此相关的答案。如果您控制自定义API,请为其提供https保护,并将整个结帐表单向下发送到iframe(设置为API端点的源)。

Then use a plugin like Cordova-HTTP for SSL pinning, and you should be more secure!

然后使用像Cordova-HTTP这样的插件进行SSL固定,你应该更安全!

Original answer: Implement Stripe Payment Gateway in Cordova/Phonegap Application

原始答案:在Cordova / Phonegap应用程序中实施Stripe Payment Gateway

#1


28  

I'm an engineer at Stripe.

我是Stripe的工程师。

Cordova/PhoneGap isn't a platform we actively support with Stripe.js, but after talking it over with the team, we have two suggestions for how to mitigate potential vulnerabilities:

Cordova / PhoneGap不是我们积极支持Stripe.js的平台,但在与团队讨论之后,我们就如何减轻潜在漏洞提出了两点建议:

  1. Configure your Domain Whitelist sensibly, to limit the possibility of other scripts maliciously sending payment data to an untrusted third party. You should only need to add https://api.stripe.com to support communicating with Stripe.
  2. 明智地配置域白名单,以限制其他脚本恶意将付款数据发送给不受信任的第三方的可能性。您只需添加https://api.stripe.com即可支持与Stripe通信。
  3. Always load the latest version of Stripe.js from our servers, per the Stripe.js documentation. This will ensure that you're always up-to-date with any bugfixes and patches we add to Stripe.js
  4. 始终根据Stripe.js文档从我们的服务器加载最新版本的Stripe.js。这将确保您始终了解我们添加到Stripe.js的任何错误修正和补丁

Beyond that, I believe your exposure is similar to using Stripe.js in a normal webpage, loaded in-browser.

除此之外,我相信您的曝光类似于在浏览器中加载的普通网页中使用Stripe.js。

(I should note that I assume you're using Stripe.js and not Stripe Checkout—the latter would require the https://checkout.stripe.com domain to be added to the domain whitelist, as well.)

(我应该注意,我假设您使用的是Stripe.js而不是Stripe Checkout - 后者需要将https://checkout.stripe.com域添加到域白名单中。)

#2


1  

I posted an answer related to this in a similar question. If you control a custom API, give it https protection and send your whole checkout form down into an iframe (source set to your API endpoint).

我在类似的问题中发布了与此相关的答案。如果您控制自定义API,请为其提供https保护,并将整个结帐表单向下发送到iframe(设置为API端点的源)。

Then use a plugin like Cordova-HTTP for SSL pinning, and you should be more secure!

然后使用像Cordova-HTTP这样的插件进行SSL固定,你应该更安全!

Original answer: Implement Stripe Payment Gateway in Cordova/Phonegap Application

原始答案:在Cordova / Phonegap应用程序中实施Stripe Payment Gateway