Clickjacking + popups subvert TBB url-bar isolation
Right now, TBB treats popups as top-level content items (ie they are allowed to track you independently of their originating window). I think this is fine, because the Firefox popup blocker prevents popups from opening without an associated mouse click, and to me, mouse clicks indicate consent to visit a page and to establish a relationship with that page.
However, clickjacking probably ruins that model, in that it can cause popups to launch for tracking content whenever the user clicks anywhere on a page.
We include NoScript, which has some clickjacking protection.. But is it enough? Is it still functional if you have Javascript fully enabled? We should spend some time investigating current clickjacking techniques to see what is still possible these days.