There are Cloud IDEs that need full access to basically emulate browser tabs within their windowing system. Right now, if you’re developing a site that sends headers that doesn’t allow pages to be iframed, you can’t a preview of the site open within the page.
I understand the merit to not allowing a site to be silently iframed, as that opens up lots of potential exploits like clickjacking. However, there are some applications that look to legitimately provide a further level of chrome around the browser, in a way that a user would actually explicitly want.
I’m suggesting that there should be a function that can be called that will pop up a bar like the one for getting access to the user’s location or webcam, with a message like “http://example.com is requesting permission to open other websites.”
The example I gave was of a preview frame in a web IDE. Another example might be a prototype / mockup for a new browser interaction paradigm (ie. one where each of your tabs/windows are presented spatially in a zoomable plane).
This could be achieved via browser extensions, but so could any other extended page behavior (like being able to access the filesystem). This is about discussing this as a cross-browser feature of the web platform.
I think something along the lines of “http://example.com is requesting permission to open other websites”, with a “more info” link and maybe text like “I trust this page” for the “Allow” button, could be enough. Most non-technical people I know would understand and reject “allow this page to open other websites” the same way as they reject “allow this page to see my location”.
That said, one of the things I’d look for in this thread is brainstorming ideas for more clear wording that could more effectively convey the potential dangers of allowing this permission (while still being concise enough for a one-sentence infobar, since users tend to ignore any warning longer than a sentence).