[daw___]

Yep, although the form posts to a secure URL: https://api.stripe.com/v1/tokens

[Gurrewe]

Doesn't make it better tough, a MITM could change the action URL of the form.

[jgalt212]

MITM requires a man in the middle. For the most part, a state level adversary is required for a generalized MITM attack.

[megabytemike]

Come join my wifi network at the coffee shop :-D

[jgalt212]

Yes, but that's not a general MITM attack as the NSA has pulled off. Only the folks at that particular coffee shop are placed at risk from this particular adversary.

[staticfish]

not if it's pinned at the web app level.

[tyre]

Again, MITM.

If you mean the front-end web (JS) app, MITM the request from the server to the client browser and replace the hardcoded submission url in the JS.

[staticfish]

Not really. I used Play Framework which is also its own webserver. SSL is at both the app and webserver level.

[ryanbertrand]

Usually Stripe throws warnings into the console for using their JS lib while on a HTTP site.

[ataylor32]

See http://www.troyhunt.com/2013/05/your-login-form-posts-to-htt...