It would appear that at least the WebKit team agree about the window.opener being read-only. It has resisted all attempts by me to null it or re-assign it, and as soon as the domains no longer match exceptions are thrown. From a security point of view I think this is sufficient to prevent your phishing example.