While I haven't confirmed that the actual phishing website uses this strategy (as noted, the code is annoying to look at due to frequent `debugger;` statements, and general obfuscation strategy), I'm guessing that it uses an approach similar to the `document.write` one I've quickly implemented in this file. I've also included an example which doesn't update the URL bar (leaving it at `about:blank`), but where the content is still controlled by the website. We probably want to make sure that the security info for these documents reflects that the document is under the control of web content.
Bug 1813463 Comment 8 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
While I haven't confirmed that the actual phishing website uses this strategy (as noted, the code is annoying to look at due to frequent `debugger;` statements, and general obfuscation strategy), I'm guessing that it uses an approach similar to the `document.write` one I've quickly implemented in this file. I've also included an example which doesn't update the URL bar (leaving it at `about:blank`), but where the content is still controlled by the website. We probably want to make sure that the security info for these documents reflects that the document is under the control of web content. EDIT: I should note that in the second example I showed, the URL bar doesn't even show security info, just showing the magnifying glass, as it is considered to be a blank document.