This page lists the scripts used by Cameo forms and documents changes to them. This helps you meet your regulatory obligations for pages on your website that embed forms which take payments.
See Cameo Scriptwatch and cameocsp WordPress plugin for how you might use this information.
You might want to bookmark this page. In particular, the Changes section.
Scripts
Unless show otherwise, all scripts load from your form domain, as shown in forms → server configuration.
| /form-name.js | Provides all the interaction common to all forms, including moving from step to step through the form. (In version 11, forthcoming, this will reduce to a simple stub specific to the form, with the bulk of the code loaded once only across all forms, and therefore can be cached by the browser, but at present similar code is loaded separately for each form). |
| /impl/form-type.js | Provides the interaction specific to the particular type of form. For example, this provides field-specific error checking for each step of a form before the data it collects is sent to the server. |
| /impl/cameopay.js | Provides code specific to each payment provider required by them to display the step which collects payment details, and then submit it to them. In some cases, this displays a form (often provided by the payment provider) to take details (such as their card number to make a card payment). In others, it redirects the customer to the provider’s website to take the details (such as their bank account number to set up a direct debit mandate). (In version 11, this is split into provider-specific scripts, and only the one required for the payment method requested is loaded). |
| https://code.jquery.com/jquery-3.2.1.min.js | Basic utilities for manipulating the HTML DOM (the web page, and in particular here, the form). Without this, a form cannot load. However, WordPress provides jQuery as well (possibly a different version), and when that happens, the form uses WordPress’ version (loaded locally from your website WordPress installation, not from code.jquery.com). If we do need to load it, it is SRI checked (that is, will not load unless the hash provided for it matches the code provided by the CDN). |
| /leaflet-0.7.7/leaflet.js | A utility to display and interact with a map, when the form requires the customer to provide location information in a custom field. We only load this when necessary. It would be highly unusual for a form taking payment to need this. It is usually only needed in the questions form when a question asks them to locate something on a map. SRI checked, even though loaded locally |
| /locutus/strtotime.js | A utility to provide date arithmetic. Javascript’s date arithmetic is limited; this script provides a function strtotime which mirrors the equivalent on Unix systems. SRI checked, even though loaded locally |
| /panzoom-4.5.1/panzoom.min.js | A utility to allow pan and zoom on a section of the page. This is currently only used in the booking form, and only then when selecting reserved seating, to pan and zoom the seating plan in order to select seats. The seating plan would otherwise be impossible to use on small screens. SRI checked, even though loaded locally |
| https://js.stripe.com/… | Various scripts from this URL that actually implement the payment form for Stripe, StripeCheckout and Applepay |
Changes
In Cameo version 11, changes will have version numbers. Currently scripts do have version information. You’ll see this in the URLs of the scripts loaded. However, it is different for different installations of Cameo. Therefore, so we’ll just quote the date of the change here for now.
| Date of change | Version | Nature of change | Affected Scripts (see above for what these scripts do) |
| 24 March 2025 | Add Sub-resource Integrity checking to utility scripts (not strictly necessary, as they are not loaded from a third-party site, but adds a little additional security). | All /form-name.js | |
| 20 March 2025 | First documented here |