Security: Protocol-relative Afterpay SDK URLs may allow insecure script transport#3227
Conversation
…low inse The Afterpay script URL constants use protocol-relative URLs (`//portal...`) and `load()` defaults to `withHttps = false`. If checkout is ever served over HTTP (or through an insecure intermediary), the SDK can be fetched over HTTP, enabling man-in-the-middle script injection. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Reviewed by Cursor Bugbot for commit d1f7680. Configure here.
| PROD = '//portal.afterpay.com/afterpay-async.js', | ||
| SANDBOX = '//portal.sandbox.afterpay.com/afterpay.js', | ||
| PROD = 'https://portal.afterpay.com/afterpay-async.js', | ||
| SANDBOX = 'https://portal.sandbox.afterpay.com/afterpay.js', |
There was a problem hiding this comment.
Redundant enum values and dead branching after URL change
Medium Severity
After changing PROD and SANDBOX to use https:// URLs, they are now identical to HTTPS_PROD and HTTPS_SANDBOX in both SCRIPTS_DEFAULT and SCRIPTS_US. This makes the HTTPS_* enum variants, the withHttps parameter, and all branching in _getScriptURI dead code. The caller in afterpay-payment-strategy.ts still reads the PI-4789.afterpay_script_use_https experiment flag and passes it as withHttps, but it no longer affects behavior. This creates a maintenance trap where a future developer could change PROD/SANDBOX back to protocol-relative URLs thinking withHttps still controls transport security.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit d1f7680. Configure here.
1 participant
Summary
Security: Protocol-relative Afterpay SDK URLs may allow insecure script transport
Problem
Severity:
Medium| File:packages/afterpay-integration/src/afterpay-script-loader.ts:L10The Afterpay script URL constants use protocol-relative URLs (
//portal...) andload()defaults towithHttps = false. If checkout is ever served over HTTP (or through an insecure intermediary), the SDK can be fetched over HTTP, enabling man-in-the-middle script injection.Solution
Use HTTPS-only URLs for all script constants and make secure transport the default behavior. Remove protocol-relative variants and set
withHttpsto true by default (or eliminate the flag entirely).Changes
packages/afterpay-integration/src/afterpay-script-loader.ts(modified)Note
Medium Risk
Changes the default Afterpay SDK script loading behavior to always prefer HTTPS, which could affect environments relying on protocol-relative/HTTP loading or explicit
withHttps=falsebehavior.Overview
Forces Afterpay SDK scripts to load over HTTPS by replacing protocol-relative
//portal...URLs with explicithttps://...endpoints.Also flips the default
withHttpsparameter inAfterpayScriptLoader.load()and_getScriptURI()totrue, making secure transport the default without requiring callers to opt in.Reviewed by Cursor Bugbot for commit d1f7680. Bugbot is set up for automated code reviews on this repo. Configure here.