Customize meteor javascript settings?

Why do we see double html tag on all apps made with Meteor?

<!DOCTYPE html>

Could we remove some of the parameters and is there any security vulnerability if someone could modify and hijack ROOT_URL, DDP_DEFAULT_CONNECTION_URL, etc at runtime to the other servers?

<script type="text/javascript">__meteor_runtime_config__ = {"meteorRelease":"1.0.x","ROOT_URL":"","ROOT_URL_PATH_PREFIX":"","DDP_DEFAULT_CONNECTION_URL":"ddp+sockjs://ddp--****","PUBLIC_SETTINGS":{"package":{"name":"test","description":"This is a description.","owner":"Thisisowner","repo":"test","absoluteUrl":""}},"autoupdateVersion":"0fb128df-9597-5652-dfe0-63f5d1405348"};</script>

<!DOCTYPE html> is not an html tag, it is a document type declaration telling the browser that the following document should be treated as html version 5.

Those parameters are placed there by meteor, depending on some environment settings and meteor settings file contents and some parameters you pass in while running/building meteor. They cannot be used to hijack or modify your application unless you publish sensitive information there like secret keys etc. That would be in the “PUBLIC SETTINGS” part which comes from a meteor settings file that is probably in the root of your project right now.

1 Like