It has resisted all attempts by me to null it or re-assign it, and as soon as the domains no longer match exceptions are thrown.
From a security point of view I think this is sufficient to prevent your phishing example.
It would appear that at least the WebKit team agree about the
window.opener being read-only.
- Re: [whatwg] window.opener and se... Hallvord R M Steen
- Re: [whatwg] window.opener an... Gareth Hay
- Re: [whatwg] window.opener an... Hallvord R M Steen
- Re: [whatwg] window.opener an... Gareth Hay
- Re: [whatwg] window.opener an... Hallvord R M Steen
- Re: [whatwg] window.opener an... Gareth Hay
- Re: [whatwg] window.opener an... liorean
- Re: [whatwg] window.opener an... Gareth Hay
- Re: [whatwg] window.opener an... Thomas Broyer
- Re: [whatwg] window.opener an... liorean
- Re: [whatwg] window.opener an... Gareth Hay
- Re: [whatwg] window.opener and security timeless
- Re: [whatwg] window.opener and security Hallvord R M Steen
- Re: [whatwg] window.opener and security Martijn
- Re: [whatwg] window.opener and security Hallvord R M Steen
