I'm in the middle of developing killginx, which will perform some of these attacks, so I'll just link them here when I'm done. You're definitely wrong about Stripe being invulnerable to this sort of thing, and half wrong about the other things. Up-to-date Firefox and Chrome are not the only things that autofill or negotiate http connections.
Not sure what you're talking about. The autofill thing still works, because you don't need to be logged in for that. The Stripe thing would work if you managed to login via the HTTP website, or the website didn't require you to login to make payments. Not all places uses web frameworks - Synack doesn't use Secure cookies for authentication purposes.