MB-R087
Every script loaded on payment pages should be inventoried with its source, owner, business justification, and authorization status. Untracked third-party scripts are a major source of Magecart-style compromise. Enumerate checkout layout XML, templates, CMS blocks, CSP whitelists, and rendered payment pages to build an auditable script inventory.
Checkout scripts can read or influence payment-page behavior. Unknown scripts loaded on checkout create risk of payment skimming, data leakage, broken CSP rules, and uncontrolled third-party changes.
A maintained script inventory gives teams a reviewable list of what runs on payment pages, why it is needed, who owns it, and whether it is approved.
# Open checkout and list loaded script sources in browser DevTools
# Compare domains and files against the approved script inventory
grep -RIE "<script|requirejs-config|x-magento-init" app/code app/design 2>/dev/null
Checkout loads analytics, chat, A/B testing, and unknown CDN scripts with no owner record.
# No inventory → FAIL
checkout-scripts.md lists gateway SDK, fraud tool, owner, source URL, and approval date.
# Inventory maintained → PASS