The Belay web site for 9-24, Friday, proposes this:
Side discussion: click/key jacking (and accidental clicking on
popups): popup windows, since they do not result from a user action,
should not have focus until they are clicked on. In order to allow
popups that _do_ result from user actions (e.g. launching an
application), then a simple rule works: if you have focus, then you
can transfer it. If you do not, then only the user can give it to you.
https://sites.google.com/site/belayresearchproject/september-on-site/friday-september-24th
I thought I'd point out that there seems to be some risks with this
policy as well, at least on the legacy web. In particular, there's
still the risk that a malicious site redirects keystrokes to a victim
web page, defeating trusted path. See strokejacking:
http://lcamtuf.blogspot.com/2010/10/attack-of-monster-frames-mini.html
http://lcamtuf.blogspot.com/2010/06/curse-of-inverse-strokejacking.html
An alternative policy to consider might be: if window A currently has
focus, then window A can request to transfer focus to window B; if
window B accepts the focus (or also requests it), then the focus
transfer happen, otherwise nothing happens. Obviously, this is
incompatible with the legacy web.
-- David Wagner