Security related Baidu script hijacking, Is this possible in a Meteor app that uses the mentioned services in China?

Full story at the BBC:

So in short, if you’re an Internet user (outside China) who browses a website that uses something like Baidu’s analytics software, Chinese networking hardware detects the request in China as it passes through and sends back a fake response with malicious script to continuously reload specific pages @ GitHub.

Is this possible in a Meteor app, or BrowserPolicy can protect (and maybe detect) against this?

@powderkeg

That article is from 2015. That is 9 years ago.

It is not possible to include GitHub pages in iframe. I did try, to have links to wiki documentation, but because of GitHub’s browser policy framing restrictions, it is not possible to show anything from GitHub in iframe at all.

For Meteor apps, if you would like it to not be in iframe, you can add browser policy framing packages:

meteor add browser-policy-common

meteor add browser-policy-framing

Then add to server/policy.js

import { BrowserPolicy } from 'meteor/browser-policy-common';

Meteor.startup(() => {
  BrowserPolicy.framing.disallow();
});
1 Like

And that post above was from April 2015. Must’ve been unearthed from the topics categorization

1 Like

Yes, but it is good to answer these even now with updates after all these years in case someone comes across them in search.

1 Like