Every bank website I've used so far does forced pop ups, as well as websites that want you to authenticate yourself using some other service (such as Google, or Facebook.)

Pop ups are reasonable. The pop unders are what google is saying are user unfriendly.

They might be, but the person I was replying to wanted to disable all methods that shift window focus. It won't work, at least as of right now.

When a window is created (with Window.open, or from a link with target="_blank"), it implicitly gets focus. That part wouldn't change.

> Every bank website I've used so far does forced pop ups

But why do they do this? I have yet to have someone give me a good explanation.

It's done to escape from iFrame jail attempts. Rogue site loads bank site in iFrame, end user types in their password...

Browsers are not supposed to let javascript access the DOM or events in a cross-___domain iframe, is that not correct?

Correct, but it's still possible for the parent page to overlay invisible textboxes and buttons in order to capture input.

Wow, what a tire fire the web has turned out to be.

Can we just throw the whole thing out and start over? I miss the 90s...

Why not implement a good 2FA then to avoid the problem entirely? The way I see it if someone can steal your bank login details using iframes as a weapon then the bank is doing something wrong. Banning pop-ups entirely would force the banks to shape up

Isn't it easier to set X-Frame-Options to deny or sameorigin?

Yes, absolutely. But that didn't work on some older browsers (like MSIE7 and earlier), so some sites settled on weird "solutions" like this one...

No idea. It just gets caught by the pop-up blocker for me. I end up just copy-pasting the URL over into a new tab, somehow.