security - Browser window popups - risks and special features

Question

1. What exactly is the security risk with popups?
The new browsers provide settings to block window popups (on blocking, sites with active popups display a message to user). What exactly is the security risk with popups? If allowing popups can execute something dangerous, then the main window can too. Is it not the case. I think I don't know about some special powers of window popups.

2. Any special features of popup windows?
Take for example the HDFC bank netbanking site. The entire netbanking session happens in a new window popup and a user neither manually edit the URL or paste the URL in the main browser window. it does not work. Is a popup window needed for this feature? Does it improve security? (Asking because everything that is there in this site revolves around security - so they must have done that for a reason too). Why otherwise they would implement the entire netbanking on a popup window?

3. Is it possible to override browser's popup blocking settings
Lastly, the HDFC site succcessfully displays popup window even when in the browser settings popups are blocked. So, how do they do it? Is that a browser hack?
To see this -

• go to http://hdfcbank.com/
• Under the "Login to your account" section select "HDFC Bank NetBanking" and click the "Login" button.

You can verify that even if popups are blocked/popup blocker is enabled in the browser settings, this site is able to display popups.

The answers to this question say that it is not possible to display popup windows if it has been blocked in browser settings.

Solved
Concluded with Pointy's solution and comments under that:

<a onclick="displayPopup();" href="#">
   Click here for a popup - this will appear even if popups are blocked in browser settings.
</a>

Here is a fiddle demonstrating the same.

Answer 1

The "security" risks from popup windows are:

• Popup windows are a notable "phishing" technique. Hostile sites can use popups to convince users that an important message from a trusted site has been delivered, and trick those people into clicking through to some malware URL (or perhaps even just the click itself might exploit a bug). Yes, the main page of the site could do that too, but a well-crafted popup can distract the user and may not be directly associated with the hostile main page.

• Popups were exploited by many unsavory sites as a way to "trap" users and to essentially force ad impressions, etc. In this respect, the security aspect of the problem really is the security of the user's control over their own computer and their browsing desires.

Modern browsers will allow popups when they're launched from an event loop triggered by an explicit user action. Thus, it's perfectly OK (ignoring web design best practices) to open up something like a "Help" section for your website in a separate window if that happens when the user clicks a "Help Me!" button. Also, it's become quite common for sites to use in-page "pseudo windows" to jam content in front of hapless visitors, and browsers really can't do anything to stop that.

edit — as to your other points:

Why do sites put their "web applications" like banking into separate pop-up windows?

I think that most sites that use separate browser windows (banks, insurance companies, and other financial institutions seem to really love this) probably do it so that they can try to control the browser "surround" of their application. In particular, they seem to like the idea of getting rid of the "Back" button as a way to simplify their designs. A browser window is a browser window, however, and a window created with window.open() isn't really much different from any other browser window.

Can popup blocker settings be overridden?

No. That HDFC bank example is a good one. Their popup window comes up only when you click on the "Login" button. Because that "click" is an explicit user-initiated action (unlike, say, page load), the browser will allow a popup window. That'll be true for any site; the bank doesn't have to do anything special for that to work. You can generally do popups from "click" event handlers, but you cannot launch a popup from something like a state change handler from an XHR.