I recently signed up and ordered a game. I ran into a browser security related problem with the ordering process - it involves MasterCard verification, where you get a pop-up browser frame that asks for a separate security code. It's the first time I'd used that service relating to Visa or MC.
In any case, because my browser security model is based on whitelisting sites, scripts such as what gog.com use get blocked. I whitelisted gog.com of course, but whatever domain sources that pop-up verification isn't easy to figure out - because once that security script gets blocked, the pop-up reverts to gog.com.
Long story short:
GOG needs to document and publish a support topic that defines exactly which sites/domains are necessary to allow. The alternative is to advise customers to allow scripts globally temporarily, but there are some folks - including myself - that don't want to do that. Would be just as easy to say that gog.com and someMasterCardDomain.com needs to be whitelisted.
Comments?

there's a few threads on this exact topic in this forum, do a search. :)

Valid point.
Although if you are paranoid (about scripts/security), then I don't understand why you use a credit card (online) at all.

Never been a fan of NoScript, but there's an easy way to figure out which urls get loaded: Install the LiveHttpHeaders extension for Firefox and you can see all the urls that get loaded. You should be able to find the url of the service that's processing the credit card info quite easily.

I like looking at the data on my router. linux on linksys ftw.

It's good that others have had similar thoughts. But I wouldn't know. I searched on 'noscript' and it comes back with zip. I suppose I could have searched on other terms or paged through forums looking around for stuff. But I'll simplify my original post into one sentence.
"GOG needs to document and publish a support topic that defines exactly which sites/domains are necessary to allow."
Even better: They could put a footer on the purchase page that mentions the requirements.
Then we wouldn't need to have multiple posts that may or may not get found by customers. Two birds, one stone.
[Adding
Qbix: It's not paranoia. It's taking responsibility. We're long past the point where we wonder if there are security issues floating around the 'net. It's a fact of life now. So while it's valid to be concerned about whether or not to push credit card info out, it doesn't mean that just because I'm willing to do that as a matter of convenience or necessity that I should just let any and all scripts run locally without at least vetting which domain they're coming from. Make any sense?

try mastercard

A support document yes, but listing it right on the page would be overkill. After all, this is a self inflicted problem.
Anyway, try livehttpheaders, it's really quite simple: install it, then you'll get a new toolbar under View/Toolbars . Enable it whenever you need to find a url and it will log all outgoing connections from your browser.

@ hansschmucker:
Alrighty, it's arcot.com that needs whitelisting. I got it from checking page properties on the blocked frame - but I'll check out livehttpheaders. Thanks for the tip on that addon.
@Weclock: It's so awesome we're focused on forum search functionality to root out the existing wisdom on a given topic. Without a good forum search feature, we'd be spending our entire day copy/pasting answers from previously asked questions. Or re-typing "try forum search" for every other post. I'm with you!
But here's a bit of trivia I just discovered relating to forum searching here...
Did you know that of the two (two!) search fields on the main forum page at:
[url=]http://www.gog.com/en/forum/[/url]
neither one of them will search the forums?
That's so awesome.

you know, I never tried the second one, that is really fairly lame. :(
But you're right, I agree that there should be documentation, I mean they have documentation saying "check with your bank, because they may charge extra for overseas purchases"

I submitted a ticket relating to the search fields on that page. As well, I submitted a ticket relating to advising folks about arcot.com (or any similar validation domains that may trip up depending upon browser security options). I have no indications from the posts I did eventually find about the validation issue that anyone did submit a feedback or support ticket about it, so I went ahead and did so to get it on the web developers' radar.

Thank you :)

I contacted support on this about a week ago. The main forums page search function is only searching forum titles and not within the forums themselves. They are supposedly already working on fixing it.

I think there are worse things than two two tickets for one issue... and it's also a nice way to remind them (stuff like this is often simply forgotten)