Major sites running unauthenticated JavaScript on their payment pages

I read the response comments from those you reported to, I kinda get their responses especially in the case of the Spodify example since their payment JS provider has been certified by a QSA (I know their assessor, PSC, they are good, thorough guys) but your point is well taken, you don't sometimes know the security of the script provider. I liked the article and the one linked too: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity SRI is good and it would work for included script code that is very static. If once it changes and the hash does not match then something goes bad on the payment page, especially if you are getting the whole payment script from a provider (like Spotify does in the example). Now payment page type companies should be really good at not changing their scripts lets hope. I guess if the SRI failed you could write code to fire off an email to some developer or write an entry in a well monitored log so that it could be fixed quickly, but the payment page may fail in some way. Having it fail if a hacker changes the script is awesome, having it fail because the provider company is just updating or improving code is more difficult. Hard to potentially notify all your potential link users and get them to change before the script changes…but possible. An alternate would be to have two script places to go to in order to keep functionality going either until the hacked script is fixed or the updated script can be verified by the real provider. Maybe the payment page company provides an “always works but not so cool looking” backup script that they promise to never change the code you can switch to in an error or you could have an alternate company to go get a script (but now you are paying twice for services…depends on how much money you process I guess, may be worth it). Or, just throw up an error message saying “we can’t take your money today, try tomorrow”. Another problem I see is that SRI is not supported by Edge (partial support) or Internet Explorer (as of Nov 6, 2018 at least) which I expect is still a pretty big portion of the browsing community. So a browser side solution as of now is not a very comprehensive control.