6

At one point I had looked at Braintree as a possible payment vendor and checked out their API. At the time, they had the "Transparent Redirect" option which solved a lot of PCI compliance issues without having the user see the payment vendor's website. This option posted the credit card data to Braintree's servers and sent back a 302 redirect with a token.

Now it looks like they're pushing the Braintree.js option, which encrypts the credit card data in the browser before posting it to the seller's website. My question is this:

What happens when Javacript is turned off in the user's browser?

I realize that since the input tags don't have a name attribute they won't be posted, so that's not a security risk as far as plaintext card numbers go. But does the transaction just bomb out? Is there really no fallback for customer's that don't have JS working for whatever reason?

Edit: Just to be clear, I'm fully aware of how Javascript works on the browser, etc. This question is more specific to what happens with the Braintree API itself and the options available within it.

Shea Daniels
  • 3,232
  • 3
  • 23
  • 27
  • 1
    With no JS browser support, no JS will run period. – doogle Aug 29 '13 at 15:50
  • 2
    Encryption is JavaScript is unsafe. Rely on using https. – Halcyon Aug 29 '13 at 15:51
  • 1
    @FritsvanCampen, it's an added layer of protection, not a replacement. It's especially useful because data can be encrypted with a public key, and only Braintree can decrypt it with their private key. – Brigand Aug 29 '13 at 15:54
  • Doesn't matter, JavaScript is unsafe at the entry and exit points. If you're doing encryption the input to your encryption must be somewhere in the page or loaded via AJAX, both can be intercepted. It doesn't reduce security but it doesn't add anything either. – Halcyon Aug 29 '13 at 15:56
  • 1
    @FritsvanCampen The encryption done by Braintree.js is for compliance purposes, not security purposes. HTTPs it used to secure the data. – agf Aug 29 '13 at 16:06
  • The client side encryption is meant to reduce PCI Compliance issues, not necessarily increase security. The solution still relies on HTTPS to keep things secure from prying eyes. – Shea Daniels Aug 29 '13 at 16:06
  • Since your question is *specifically* about the Braintree API, either try it yourself, or ask their tech support. Off-topic for Stack Overflow. – user229044 Aug 29 '13 at 16:10
  • 4
    @SheaDaniels I work at Braintree. I'm sure you know most ecommerce sites don't work without Javascript, so people with Javascript turned off are used to having to turn it on to make a purchase. That said, I'm not sure I understand your edit. If you post a form to your server, and you don't get any credit card fields, you know that the Javascript didn't work and you can decide what to do from there. You don't have to send the data on to Braintree to find out that Javascript was disabled. If that answers your question I'll move this to an answer. – agf Aug 29 '13 at 16:12
  • 2
    @meagar There are many, many questions here about individual APIs / platforms, from App.net to Twilio. Many of them are about much more narrow / obscure aspects of their APIs than this question. I don't see how this is off topic in any way. – agf Aug 29 '13 at 16:14
  • @agf Existing off-topic questions don't justify additional off-topic questions. Support for 3rd party APIs is off-topic. – user229044 Aug 29 '13 at 16:17
  • 3
    @meagar Can you cite a source? Interacting with external web services is a huge part of my, and many, many other programmer's jobs, and has always been on topic here. – agf Aug 29 '13 at 16:23
  • @agf I realize that, but as a government service we don't have the option of just ignoring citizens if they have it turned off. Let's try distilling it down to this: If I detect that javascript is turned off, is a back up option like transparent redirect still available? – Shea Daniels Aug 29 '13 at 17:08
  • 1
    @Shea: If you detect JS is turned off, emit a message that says JS is required for PCI compliance and their own security. – Lawrence Dol Aug 29 '13 at 17:25
  • @SheaDaniels Transparent redirect is still available. However, you have to draw the line somewhere -- governments included. You can't support everyone. Most services draw that line at IE < 6 and Javascript disabled, at a minimum. – agf Aug 29 '13 at 18:44
  • @agf I agree there is a line, but it varies by application and customer. For a simple government payment I really don't see any need to have JS turned on. I know that because it works just fine right now. If JS improves the quality of the experience, then we are free to enhance with it, but requiring it is just laziness on our part. This article is on the older side but I think it explains some of the reasons why people might have it disabled http://bit.ly/tus4Ra – Shea Daniels Aug 29 '13 at 19:32

1 Answers1

1

Any JavaScript on the page will do absolutely nothing if JavaScript isn't enabled.

One option is to have your page set up as if JavaScript doesn't exist. Then, have the JavaScript remove the old school stuff from the page, and load the JavaScript version.

The obvious downside is that you're slowing everything down slightly for the vast majority of users, to aid a small group of people. If you need to do that in your business, okay.

In my personal opinion, because no browsers disable JavaScript by default, those users are opting out from a large number of services and experiences on the web. Even screenreaders have JavaScript enabled 98.5% of the time (2011 and 2013 studies/surveys).

Brigand
  • 84,529
  • 20
  • 165
  • 173
  • 1
    Thanks for the answer but I'm looking for something more specific to the Braintree API. I know how to do progressive enhancement for the code that I write, but this is a 3rd party API. I'm more interested in whether there is a fallback option like using the old transparent redirect stuff is JS is turned off. I really don't want to leave anyone out of the loop as this is a government service for the citizens. – Shea Daniels Aug 29 '13 at 16:07
  • Ah okay. Well it may be best to contact them directly, and share your findings here. I'm not seeing anything in their docs about it. You might have to do it your self, or convince them to implement it as a feature. – Brigand Aug 29 '13 at 16:16