You pretty much answered yourself, that it's impossible for security reasons. But you can still use iframes and ajax.
Just imagine a scenario, when popup with a fake address bar opens, you visit some site with a fake internet transaction dialogue box and somebody steals your real money. Weird, but 7 years ago it was possible.