- https://directpay.irs.gov/directpay/payment
and here is where the JavaScript it uses is loading from:
- irs.gov
- google-analytics.com
- googletagmanager.com
- medallia.com
IRS requires you to provide extensive information to pay taxes online.
I've also seen a bank including something called "launchdarkly" as well, which does not inspire confidence either. Can't log in without it loaded.
So, isn't this a data leak and could be dangerous? Does google and medallia know my SSN, AGI, etc now?
Or does https prevent form data sharing these days? If it is the case, how to push back on the spread of analytics companies being used in confidential situations?
This can be mostly prevented by using CSP Hash, then having strong auditing that produces a 'trusted' version. This of course would make the IRS stay on a single version for a much longer time frame.
However, my experience is that all vendors want to update their software at anytime, and would likely not approve of using the same version for years at a time.