(In reply to :Gijs (he/him) from comment #4)
The site can open a popup to anywhere, it doesn't need to be its own site. The permission is for the opening site, not the target site. The page could also navigate after being opened. If the site has XSS or other vulnerabilities, there is no way anymore for the user to tell whether the popup is really at the target site. Also, the user might remember when opening the popup, but if it stays open for longer, they might forget, or confuse it with other sites where they've also allowed popups.
Again, it is up to the user to decide if they trust the site to allow it to create popups. If the site is going to include iframes or pull in stuff from other sites, it is up to that site to keep on top of it and remove them, and the user can always revoke the permission. Likewise, they could forget that they allowed cookies or other permissions, but you don't prevent them from allowing those. Popups are no more special or hazardous than any other permission, so telling users that they are not allowed to have the choice to decide what they allow is bad design, especially since it is easy to default to safe by merely making it opt-in (whitelist).
the contents of the page aren't a good indication of the site that is serving those contents. Users need to be able to identify the former.
Again, you can draw more attention to the URL in the prompt and then leave it to the user. Again, default to not-allow, then let the users choose what they want to allow.
it's like if you grant a site permission to use the camera, but arbitrarily restrict it to 640x480 or grant a site permission to set a cookie but force it to expire within a day.
Those aren't really equivalent things.
Sure it is. You allow users to grant permission to sites to create popups, but then impose a browser-wide restriction that prevents them from reducing the window chrome and force them to waste titelbar space with the URL.
And so do camera permissions - after all, we always show a sharing indicator on the tab and on the desktop, even if you've granted permanent permissions to a site, and there is no way for the site or the user to remove that, because it's an important security indicator.
With the camera, there is a popup in addition to the little icon in the location-bar (redundant), but it makes sense because it's an active thing that they might forget is being used. With popups, the existence of the popup is the indicator that the site has permission to create one. Even then, you could create an unobtrusive indicator.
Besides, you don't provide any sort of visible indicator for cookies, you leave it to users to go through the list and adjust as necessary. It could be the same for popups (and all permissions).
You're asking to be able to site-specifically give a site much more significant popup permissions, among which is defeating explicit security measures that we take to ensure users stay in control of popups and can tell what page they're on. You haven't really given any reasons why you need that level of control.
Except that you are not letting users stay in control of popups; you are making the devs (via the browser) retain control on the assumption that users can't possibly be trusted to do things for themselves. That's exactly what ruined Chrome.
You want a use-case scenario? Easy: an unobtrusive, minimal-chrome video-streaming window in the corner of the screen to allow users to watch videos on their computer while doing other things. Another example would be a game window (especially for things like idle games). Or a stock-market site, a chat box, or any number of other sites that a user might want to tuck away on the side of the screen and monitor in the background while doing other things.
Obviously they would want to minimize the screen foot-print of the window but retain the ability to see information in the titlebar without it being pushed out of sight by the URL.
Even if you yourself have some reasons, most users don't need this level of control, so it's a bad engineering trade-off to try to implement them.
See, that's exactly what ruined Chrome and Windows, and lots of other things that started out good, but turned bad; devs who can't put themselves in others' shoes and assume that just because they don't use something or can't think of a use-case scenario, that it must also be true of all users. 🤦 Please do not become Google. Firefox is our last bastion of hope in a browser landscape of Chromium-based browsers.
The point is that you should allow users to retain control of their browser and allow them to choose what they trust and what they allow. There is no reason to block users from doing what they want/need to do for security if you just set the default settings to deny and then allow them to purposely grant permissions. That way anything that goes wrong is the user's fault, just like with everything else in the browser and in life. Protecting users from themselves by not allowing them to do things under any circumstances is like Windows preventing users from running programs that aren't in a Microsoft-approved list or installing unsigned drivers. It's just wrong. Windows protects users by popping up a confirmation box with a warning and relevant information, and then letting the user decide if they want to take that chance or not (at least for now…) and Firefox does the same for the most part, but is inconsistent.
The world is moving more and more online and most programs are shifting away from desktop apps to web-apps, so there is an ever-growing need for a sort of kiosk-mode for websites. It is no good to have a program cluttered and encumbered with lots of browser-chrome. Such a kiosk mode is already doable by just giving sites the ability to choose what window chrome to include in
open.window and allow users to choose what sites get that right.