[homakov]

It can work w/o a click. Two caveats:

1) chrome blocks straightforward window.open if no click happened

2) user doesn't really expect automatic popup. So it's not how phishing should behave

3) yes, it CAN work similarly on HN, in case you are Paul Graham (if you can change HTML on front page)