Stripe.js injected on web at startup, causes GDPR compliance issues #1639
Description
- [✓] I have updated Purchases SDK to the latest version
- [✓] I have read the Contribution Guidelines
- [✓] I have searched the Community
- [✓] I have read docs.revenuecat.com
- [✓] I have searched for existing Github issues
‼️ Required data ‼️
Do not remove any of the steps from the template below. If a step is not applicable to your issue, please leave that step empty.
There are a lot of things that can contribute to things not working. Having a very basic understanding of your environment will help us understand your issue faster!
Environment
[✓] Flutter (Channel [user-branch], 3.27.3, on macOS 26.2 25C56 darwin-arm64, locale de-AT)
[✓] Android toolchain - develop for Android devices (Android SDK version 35.0.1)
[✓] Xcode - develop for iOS and macOS (Xcode 26.2)
[✓] Chrome - develop for the web
[✓] Android Studio (version 2025.3)
[✓] VS Code (version 1.109.4)
[✓] VS Code (version 1.96.4)
[✓] Connected device (3 available)
[✓] Network resources
- purchases_flutter: 9.12.0
- Web platform (Chrome)
Describe the bug
Currently, the purchases_flutter plugin automatically injects stripe.js when the web plugin registers, even if Purchases.configure() is never called.
This means Stripe.js loads at page load and can potentially collect personal data before user consent, which is a GDPR compliance concern.
Expected behavior:
- Stripe.js (and any external scripts) should only load after explicit user consent or after calling Purchases.configure().
- Ideally, the plugin should provide a way to defer or opt out of automatic Stripe.js injection.
Impact:
- Prevents GDPR-compliant web implementations.
- Requires developers to fork/patch the plugin to comply with consent requirements.
There is a PR available for a different kind of implementation of revenueCat: RevenueCat/purchases-js#597