1

I'm working on a Squarespace site, which does not allow any server-side scripting. So I can only use javascript, but I need to update the purchase with tax information from a 3rd party app before the product is submitted to the payment processor, and then send information about the transaction response to the tax app.

Both the payment processor and the tax processor have decent api's. Here is documentation about how to do this if you have access to the backend: http://dev.taxcloud.net/2013/10/03/taxcloud-js_stripe/. So basically, I need to figure out how to reverse engineer this php script to be handled with javascript while not triggering the cross-site scripting warnings if possible.

Also, is there a way to store the API keys securely. If I use a javascript http request, it's going to have to pull out the key, right? I don't want to give every client access to the key.

Anyway, I just want to:

-make sure this is possible.

-make sure this is not a gross breach of security.

-See if you all can give me any leads on where to start and security things to watch out for

scl
  • 93
  • 9

2 Answers2

2

To my knowledge squarespace do not support CORS so there are not a lot of alternatives besides jsonp. There are of course some security concerns but as long as you keep everything ssl and isolate your php server script from access to any domain where you store users information or web pages it should be fine.

  1. Ensure you have forced https in the header of your squarespace site.
  2. Write a javascript script on your own created squarespace page which grabs the request variables zipcode, amount etc and then does a jsonp request to a php function on your own server (https).
  3. Your key should be on the server in the script and the php function will call the 3rd party api, get the tax info and return it in the callback of your function to the squarespace site.

Heres an example: Simple jQuery, PHP and JSONP example?

Community
  • 1
  • 1
ShanksPranks
  • 397
  • 3
  • 8
0

Possible: Do you have access to any secure (SSL-enabled) server outside of squarespace that you could configure to allow CORS with server-side preprocessing of requests?

David Campbell
  • 21
  • 2
  • Yes, I do, I guess I'll have to do it that way – scl Jun 04 '15 at 15:46
  • So it turns out squarespace also submits to the payment system on a page that doesn't allow any javascript.. I don't guess there's any way around that, is there? – scl Jun 05 '15 at 08:13
  • You should ask Squarespace to integrate TaxCloud directly. – David Campbell Jun 05 '15 at 23:04
  • They **should** and certainly _could_ - 80 other commerce platforms already have. _Whether_ and _when_ is probably driven by direct client requests - so please ask them, and tell your friends and clients to ask as well. ;) – David Campbell Jun 09 '15 at 22:43