19 comments

[ 2.7 ms ] story [ 48.1 ms ] thread
I'm confused, is the price actually stored in the DOM?
Yes, in the documentation they are selling that as a feature.

One of the Snipcart's strength is that you do not have to enter your product inventory anywhere. Most of the time you will always have an inventory somewhere or an existing database, so we did not want to have you duplicate information.

So how does it work? All your product information is stored in the HTML markup.

Kind of a major oversight.

I don't really see much use for this, why give another 2% of your sales away? Stripe is already ridiculously easy to integrate.

Yes Stripe is easy to integrate, but we are mostly focusing on frontend developers that want a customizable shopping cart, with all the features like shipping rates calculation, full control on the CSS and a dashboard for their customers with the orders.
So, as a web developer, I'm not seeing anything that would inspire confidence regarding someone simply inspecting & changing this data attribute to:

data-item-price="0.01"

I skimmed through the documentation, but didn't see any real mention of this concern. I think it should be highlighted.

Seems that by allowing it to be in markup it might encourage people to be negligent and perhaps miss verifying that the submitted price is correct... maybe I'm missing something here.

Presumably they crawl the website on signup and watch out for major changes in price like that?

But, yes, if that's the case then that should be highlighted in the docs.

We crawl the page that you specify within the data-item-url attribute.

We validate that no product informations has been altered.

If so, we simply ignore the order and nothing is charged or processed.

Who specifies the page? Is that set up in the SnipCart admin?
What happens when products are loaded with JS after the initial load? For example, maybe the user presses a "Load More" button, or the site uses infinite scrolling, etc. Do you guys handle that in any way? I'm not trying to trash your product, I'm just genuinely curious.
The markup must be available on the webpage when it loads, but we plan to have JSON endpoints in a very near future, so if the URL that we crawl returns json, we will use it instead of crawling the HTML. It will be documented soon.
How does the crawling occur? What if I altered the data-item-url attribute?
Just before the order payment is being done, we crawl the URL of the product, we check for a product with the specified ID and validate that the price, name, any other properties have not been altered. If it has been altered, we reject the order. The URL in data-item-url must be on your site domain, so by example, if you change the data-item-url from snipcart.com/product to myapp.com/product, it will be considered as altered and the order will be rejected.
What really scares me is that there's no mention of security on their site aside from the usual "we use HTTPS" line.
We will add more informations about how our price validation works very soon. Also, we already suggest our customers to make sure their website is HTTPS also.
(comment deleted)
"IF YOU SELL, WE GET PAID, IF YOU DON'T, WE'RE NOT"

I don't speak Finnish or Russian, but if I was going to offer businesses an ecommerce solution in those countries, I'd be damn sure my copy was grammatically correct.

Not to bust your balls, but we're talking about moving customers' money around - the details matter.

Fixed, thanks for your feedback! We are a company from Quebec city so we speak french most of the time!
How about "If you don't, neither do we" to avoid the repetition?