MB-R088
Payment-page scripts should be constrained by allowlists and integrity controls such as SRI, hashes, signed deployment manifests, CSP nonces, or approved monitoring. Without integrity controls, compromised third-party JavaScript or injected snippets can skim card data in the browser. Validate that only approved script origins and expected script assets can execute on checkout.
A script inventory says what should load; an allowlist and integrity controls help enforce it. Without enforcement, compromised tag managers, injected templates, or extension changes can add scripts that skim payment pages.
Strong controls around allowed hosts, CSP nonces/hashes, and deployment review make checkout script behavior harder to tamper with silently.
# Inspect checkout response headers for script-src allowlist
curl -I https://mystore.com/checkout | grep -i content-security-policy
# Compare loaded script hosts in browser DevTools against the approved allowlist
* or broad CDN allowances.script-src * 'unsafe-inline' 'unsafe-eval';
# Broad script execution allowed → FAIL
script-src 'self' https://js.payment-provider.example 'nonce-...';
# Limited approved sources → PASS