Currently, the browser pop-out does not observe vault timeout, which is known, as it is written in the browser app introduction browser-pop-out.
This is of course a security flaw and should be solved in the one or other way: If one uses the pop-out window in an unsave environment (shared office, hotel lobby, restaurant, etc) and one gets inverted or the device is grabbed, then the vault stays open. Not everyone is aware of this unexpected behavior, and the right manual measures are not taken.
While the expected functionality seems to run into technical limitations, workarounds shall be taken to mitigate the risk:
- Make an settings option to allow Pop-out window, which is off by default, with a warning message at activation.
- Add a red warning banner to the popout that the timeout ist suspended
- In addition the popout could have it’s own time limitation, if that is possible