- Issue created by @newaytech
- 🇺🇸United States simonjoe
Hello,
I am assuming you are inquiring about need for SRI. Commerce_stripe doesn't employ the integrity parameter when it includes the JS library. This will get you flagged for PCI 4.0 compliance, as you are probably running into.
I handled this today for my employer with a patch to commerce_stripe.module
First, modify the build function slightly.
function commerce_stripe_library_info_build() { $libraries = []; $stripe_src = 'https://js.stripe.com/v3/'; $stripe_integrity = fetch_stripe_integrity($stripe_src); // @todo get this value from global or payment gateway settings. $use_fraud_detection = TRUE; if (!$use_fraud_detection) { $stripe_src .= '?advancedFraudSignals=false'; } $libraries['stripe'] = [ 'version' => '3', 'js' => [ $stripe_src => [ 'type' => 'external', 'minified' => TRUE, 'attributes' => [ 'integrity' => $stripe_integrity, 'crossorigin' => 'anonymous', ], ], ], ]; return $libraries; }Then, add a new function to calculate the hash value at runtime.
function fetch_stripe_integrity($url) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); if ($response === false) { throw new Exception('Curl error: ' . curl_error($ch)); } curl_close($ch); $hash = hash('sha384', $response, true); $base64_hash = base64_encode($hash); // Return the hash in the required format return 'sha384-' . $base64_hash; }You will need to track these changes and re-apply them after any update to commerce_stripe in the future.
After these modifications, I pass PCI 4.0 as scanned by Tenable.