Hi Dave,
I can answer both parts of that question.
For the pop-up windows: Opening a window on Twitter.com (or our app) is necessary to complete actions because the widgets are not authenticated. We don’t require sites to register with us or authenticate to put Twitter in your page, but it means we can’t just perform an action inline. If we use an iframe from Twitter’s own domain (with a logged in session), then we open up our users to the vector of clickjacking attacks: If a follow button acted invisibly, it could be hidden in a page ({ opacity: 0; }), layered over the top of some other piece of UI (“Click Here to Claim Your Prize!”), and users would be tricked into following users they didn’t even see.
The pop-ups put users into a simple, minified Twitter context to complete the action without totally taking over the screen. It’s a simple compromise that keeps users secure and keeps the implementation of the widgets really simple for developers.
For the events, we had to make a change recently where all we can trigger for you is the type of interaction intended, not the result. This is because across large parts of the modern web platform, and the way in which some operating systems now integrate native apps alongside web content, we can’t reliably communicate messages from our Intents (or apps) back to host pages. We wrote about it in detail here: Announced change to Web Intent Events
Hope that helps,
Ben
