Comment by dzhiurgis
6 years ago
Seems like both Stripe and website author are misusing the browser feature.
Seems like core problem is lack of storage API that can only be accessed from JS that's executes from same domain?
Edit: Seems localStorage does isolate per domain, but I am not sure whether it's for page itself or for external JS too.
I've found some places say localStorage is insecure, but both OWASP [0] and MDN [1] say it isolates by origin. Third party scripts from different origins shouldn't be able to access it, but a successful XSS attack could have access.
[0] https://cheatsheetseries.owasp.org/cheatsheets/Session_Manag...
[1] https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage...