Thank you for the prompt reply. Don’t mention the donation, good work deserves to be supported!
Please keep everyone informed about your research on the tokens. I suppose what’s bugging me still is the documentation at https://stripe.com/help/security insists that they “use HSTS to ensure browsers interact with Stripe only over HTTPS”. Every single plugin I’ve come across for Stripe, except yours, refuse to work over regular HTTP.
It’s not that I’m doubting your work at all, it’s just that my customers, and anyone who reads my tutorial, will be wondering the same thing. You should therefore have an answer ready. Stripe obviously uses SSL/TLS in the API, and Stripe.js is served only over TLS. I’m therefore assuming your plugin acquires the js using libcurl. So maybe it’s just that by not insisting on HTTPS on the WordPress site, your plugin is breaking convention? It’s up to the user to consider man-in-the-middle attacks as a possibility?
These are all just thoughts off the top of my head, but a Stripe plugin that is secure WITHOUT the need for HTTPS is very much needed, if you can convince everyone that it is just that…. certs are expensive and difficult to implement in many cases, especially on shared hosting platforms.
Here’s a link to the tutorial in which I recommend your plugin. Please keep up the good work and update this thread with your findings ??