PopupsAllowedForUrls and possible security issues

Hello everyone, 

I am writing here because I am searching for some information regarding the PopupsAllowedForUrls policy, which allows particular websites to open popup windows without user consent.

The context is the following: we are developing an Outlook Add-in for internal use, and we would like the add-in to open a popup window when the user clicks on a button. The popup window will perform some operation and show a recap to the user.

So, we configured the PopupsAllowedForUrls Group Policy on our Domain Controllers and we verified that it actually works, users can now use the Outlook add-in without receiving a "popup blocked" warning and the popup appears exactly as we want.

Now, my questions are security related, and in particular we would like to know if enabling that policy may pose a security risk or may allow the unintentional opening of malicious popups by a careless user, and if generally there are any counterindications of using such policy.

Our concern is, in fact, that another malicious add-in or attachment may take advantage of said policy allowing other popups to be opened by outlook.office.com, other than the one we want. Do you think it could be a possibility?

It would be great to be able to specify which websites can actually be opened in a new popup, but I couldn't find anything related to that. I hope that someone with more knowledge on this matter will be able to help.

Thanks in advance, have a lovely evening!

Dennis.