Dangit. We missed a real problem. It happens that XUL command handlers are fired in the mouseup event. So with window.open ignored in mouseup by default, remote XUL like this <command oncommand="window.open(...)"> is blocked. I suppose the best thing would be to add mouseup to the default list of events.
Comment on attachment 151367 [details] [diff] [review] allow mouseup by default r+sr=jst (bzbarsky is out of reach until mid-july or so, IIRC)
Comment on attachment 151367 [details] [diff] [review] allow mouseup by default a=mkaply for 1.7.1
Actually I'm not certain we have to do this. It's beginning to look as if remote XUL needs to be privileged enough to open as chrome (bug 244766, bug 244965) before it can be useful anyway (bug 248004). And that would obviate the need for this change. Holding off for now.
Alright. mouseup (unlike mousedown!) is fairly innocuous and kin to click. Also, not all remote XUL need necessarily be privileged. So the patch is checked in to the trunk for 1.8a2 and the 1.7 branch for 1.7.1.
The patch is not checkined yet to AVIARY_1_0_20040515_BRANCH. Please checkin to AVIARY_1_0_20040515_BRANCH.
Now also checked in on the Aviary branch for 0.9.1+.
(About comment 5: this change is indeed on the 1.7 branch, but will not be picked up in a release that hasn't synched with the main 1.7 branch. To date no 1.7.x release has done this.)
*** Bug 267208 has been marked as a duplicate of this bug. ***