πΊπΈUnited States simonjoe
Hello,
I am assuming you are inquiring about need for SRI. Commerce_stripe doesn't employ the integrity parameter when it includes the JS library. This will get you flagged for PCI 4.0 compliance, as you are probably running into.
I handled this today for my employer with a patch to commerce_stripe.module
First, modify the build function slightly.
function commerce_stripe_library_info_build() {
$libraries = [];
$stripe_src = 'https://js.stripe.com/v3/';
$stripe_integrity = fetch_stripe_integrity($stripe_src);
// @todo get this value from global or payment gateway settings.
$use_fraud_detection = TRUE;
if (!$use_fraud_detection) {
$stripe_src .= '?advancedFraudSignals=false';
}
$libraries['stripe'] = [
'version' => '3',
'js' => [
$stripe_src => [
'type' => 'external',
'minified' => TRUE,
'attributes' => [
'integrity' => $stripe_integrity,
'crossorigin' => 'anonymous',
],
],
],
];
return $libraries;
}Then, add a new function to calculate the hash value at runtime.
function fetch_stripe_integrity($url) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
if ($response === false) {
throw new Exception('Curl error: ' . curl_error($ch));
}
curl_close($ch);
$hash = hash('sha384', $response, true);
$base64_hash = base64_encode($hash);
// Return the hash in the required format
return 'sha384-' . $base64_hash;
}You will need to track these changes and re-apply them after any update to commerce_stripe in the future.
After these modifications, I pass PCI 4.0 as scanned by Tenable.