Its not a popup from Roundcube, its one generated by a bookmarklet. After some researching, i found, that using a bookmarklet, is not the same as opening a new tab. The bookmarklet seems to work in browser context itself and that's why it cant re-use the session. Since it's a bookmarklet, i cant use postMessage for nearby the same reason. postmessage can only send messages to windows from where it was opened or parent iframes. Currently, i have no solution, i can think of. The only thing what could work, would be some sort of autologin, like the one in the autologin plugin or http_authentication. In this case, it will be independent from the actual session.
Using autologin is at least my eyes a little bit risky. I will not open a security hole. I know, i can open a connection, login, do only my defined action and nothing else and logout. But this will be a lot of request and actions for such a simple thing. Additionally the credentials have to be saved in the bookmarklet. Not the best idea in my eyes. Using http_authentication will not save the credentials somewhere, but it has nearby the same actions and requests and additionally, i have to enter for every request the credentials (either manually or by a password manager).
I think, using a bookmarklet is it not worth this much trouble. So, i f no one will request such a feature. I will put this on hold. For now, i have fixed and stabilized the bookmark plugin and thats all for now.
But many thx for your hints.