It’s coming from a Baidu domain which is one of the biggest sites in the world. That might be a bit difficult...

If you're negligent in securing your site and it gets infected, your site should be blocked. You shouldn't be able say "well it's technically not us, it's the CCP!" whilst not doing anything about it. As for badiu being a major site, that can be resolved by browser vendors displaying a special page explaining to its users of the situation.

Isn't this the firewall itself rewriting request responses that happen to be from http://baidu.com? How is Baidu infected in this case, and what can they do to prevent this on their aside aside from strict HTTPS upgrades?

Strict HTTPS upgrades is probably warranted. Getting into the https preload list is easy (if your infrastructure is ready) and effective.

HTTPS has real costs, but if you're distributing javascript at high volumes you should pay them.

(Handling the ddos is harder when the target is https though... Can't know what the handshake is about until you've spent the cpu on handshaking)

There’s no proof it was Baidu though ...

edited my reply between you posting the comment.