[chatmasta]

Seems like the simple solution would be for those apps to include something like “rel=yesopener” on the link to the payment provider, as a way to explicitly opt into the functionality.

Browsers deprecate security related features all the time. See SSL, HSTS [EDIT: HPKP*], etc.

At the very least, browsers could remain backward compatible but mark the URI as “Insecure” in the address bar if the link could result in tab hijacking. Although on second thought, that would be challenging because it would require parsing the source of all links.

[Klathmon]

HSTS is not deprecated, HPKP is.

HSTS is what tells the browser "this website MUST be served over TLS".

HPKP is what tells the browser "this website must be served over TLS with this exact key".

HPKP is being deprecated due to the large "footgun" it creates for websites, and the difficulty at actually managing it. It's being replaced by "Expect-CT" which is a much easier and safer way of getting a similar result.

[tialaramex]

As well as a footgun, HPKP (and any similar pinning technology) unavoidably creates opportunities to take sites hostage. If the current owner of site X can say "Only trust this site if key K is involved in the trust chain" then if bad guys are able to take over the site even briefly, and say "Only trust this site if key J is involved" instead, they can sell you key J for however much you value your site. Without it, nobody in the world can "get back" your site in reasonable time, no court order, no service provider, nothing else will work. They can even choose to do this, then destroy key J, now your site is bricked and nobody can fix that.

Expect-CT is very different, I'm not sure "similar result" is the right phrase. HPKP lets you pin to any set of keys, a reasonable choice might be your current key, a spare key that your DevOps have ready to go, and one more that's printed out on a piece of paper in the company safe labelled "important: Web site private key, never lose this".

Expect-CT is like Python's from future import, in the future we expect the Web PKI to use Certificate Transparency logging policy to ensure oversight over all CAs. Expect-CT lets you demand enforcement of such policy today, to the extent that's possible. Today policy is still in a state of flux, so enforcing it might not do what you expect, whereas HPKP was very predictable. On the other hand, it's definitely not subject to hostage taking, and it's probably less susceptible to footguns, so that's nice. And if the future does come to pass as expected it's future proof, since such a policy will become de facto the normal behaviour of common user agents.

[Edited to make more sense]