loconotion icon indicating copy to clipboard operation
loconotion copied to clipboard

Published 20 hours ago • verified publisher icon leoncvlt

Stripe code injection?

Open mmuelly opened this issue 4 years ago • 2 comments

I just ran a speedtest and noticed that there is some stripe code element injected into the code which does not appear to be present on the original site. This is actually new and didn't happen as of earlier this week. I thought it was in my pipeline at first, but the demo page has the same code injected:

<iframe allowpaymentrequest="true" allowtransparency="true" aria-hidden="true" frameborder="0" name="__privateStripeMetricsController3360" scrolling="no" src="https://js.stripe.com/v3/m-outer-d6c2bdb836ab7d041671a72774049a01.html#url=https%3A%2F%2Fwww.notion.so%2FLoconotion-Example-Page-03c403f4fdc94cc1b315b9469a8950ef&amp;title=Notion%20%E2%80%93%20The%20all-in-one%20workspace%20for%20your%20notes%2C%20tasks%2C%20wikis%2C%20and%20databases.&amp;referrer=&amp;muid=NA&amp;sid=NA&amp;version=6&amp;preview=false" style="border: none !important; margin: 0px !important; padding: 0px !important; width: 1px !important; min-width: 100% !important; overflow: hidden !important; display: block !important; visibility: hidden !important; position: fixed !important; height: 1px !important; pointer-events: none !important; user-select: none !important;" tabindex="-1"></iframe>

Any idea where this is coming from? I checked the html page after running loconotion, so it's not the frontend. It's not on the original notion page and I cannot find it in the code. Given that this is happening on both your sample and my page it doesn't appear to be an injection along the transmission path and most likely Chromedriver. However, I haven't changed the chromedriver version, and it seems unlikely that the chromium hosted version has changed.

I'm not sure the code actually does anything, but it's a bit unnerving to have a payment processor's code injected.

Any ideas?

mmuelly avatar Feb 08 '21 01:02 mmuelly

Actually, dug a little further, and it does appear to come from one of the notion js includes: https://www.notion.so/vendors~main-c6c3818b0ff824f5eb8d.js

I went back to a revision from last week and the code was indeed not there; this appears to have been added by notion in the past week.

mmuelly avatar Feb 08 '21 01:02 mmuelly

I noticed that too while working on this in the past few days! I'll add that to the list of stripped vendors modules

leoncvlt avatar Feb 08 '21 08:02 leoncvlt