[dujiulun2006]

I saw this on Weibo earlier, NOT from a trusted source. But the first and third rounds have been confirmed.

> 第一轮外域JavaScript，一个alert防住；第二轮外域img，Referer挡外面；第三轮GitHub Pages被D；第四波正在进行，是TCP SYN Flood攻击。

My translation:

> The first round was cross-domain JavaScript, stopped with an "alert()". Second round was cross-domain <img>, stopped with referrer. Third was DDoS-ing GitHub Pages. Fourth is the ongoing TCP SYN Flood attack.

[sunflowerdeath]

What about inserting invisible iframe to affected sites? I think it can not be prevented.

[dujiulun2006]

Since GitHub (and other sites) can modify their webpages, something like:

<script>

if (window != top) top.location = 'http://www.google.com';

</script>

returned as a static webpage would do the trick.

[fotcorn]

This script can be disabled with the sandbox attribute on <iframe>: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/if...

[AgentME]

Scorch the earth if it doesn't work then:

    <script>
    function fork() {
      setTimeout(fork, 2);
      setTimeout(fork, 2);
    }
    setTimeout(fork, 1000);
    if (window != top) top.location = 'http://www.google.com';
    </script>

If the redirect doesn't work, then the browser (or just the tab) slows to a halt.

[txangel]

Too late, they should have done that first. Nice idea though.

[dujiulun2006]

In that case maybe the other solution is better. Wow HTML5 is crazy...

[sanqui]

You can serve an X-Frame-Options:"DENY" (or "SAMEORIGIN") header to prevent browsers from loading the iframes.

[sunflowerdeath]

But this is a response header, so server shoud respond and that is the goal of attack. Browser doesn't send any request headers saying that site is opened in the iframe.

[sanqui]

Sure, but at least the browser won't render the page, so it won't download the additional content like images and scripts. It's partial mitigation.