Since more than one of the replies I me mention this, I'll reply to myself...
It is correct that serving the necessary JavaScript over HTTPS is the Right Thing To Do as it prevents injection. IIRC (I'm on my phone and not where I can research) Stripe serves the JavaScript themselves over HTTPS (you pull their scripts from their server) and this problem is solved.
While I understated the concern about serving forms unsecured, the same MITM problem is a potential issue for the page containing the form. The solution is the same: serve over HTTPS.
It is correct that serving the necessary JavaScript over HTTPS is the Right Thing To Do as it prevents injection. IIRC (I'm on my phone and not where I can research) Stripe serves the JavaScript themselves over HTTPS (you pull their scripts from their server) and this problem is solved.
While I understated the concern about serving forms unsecured, the same MITM problem is a potential issue for the page containing the form. The solution is the same: serve over HTTPS.