Окна и Фреймы (англ, кто б перевёл)

A popup window is one of the oldest methods to show additional document to user.

Basically, you just run:

window.open('http://javascript.info/')

The dualistic window object provides global JavaScript object and browser window interface.

In this section we concentrate on the browser part.

Both checking if the window is focused and focusing on a window/tab is tricky.

That’s partially because the focus/blur event do not bubble, and partially because the browser window is a part of OS and JavaScript is not integrated with the OS window manager.

Also, the security is important here, because the JavaScript focus/blur may not override a user’s will.

Still, let’s find out what we can do and see the possible pitfalls.

Frames is an old-school way to split a browser window in several zones, so called frames, where each frame behaves as a separate window.

The «Same Origin» policy limits the access of one window to another.

The reason behind that is security. If you have blabla.com in one window and gmail.com in another one, then you’d not want a script from blabla.com to access or modify your mail or run actions in context of gmail on your behalf.

Cross-window messaging API is supported by all modern browsers including IE8. It allows windows/frames from multiple domains to communicate with each other.

The Clickjacking attack allows to perform an action on victim site on visitor’s behalf.

Many sites were hacked this way, including Twitter and Facebook (both fixed).