Chrome Version: 71
OS: All Desktop (Chrome OS, Windows, Linux, and macOS once we get PWAs there).

What steps will reproduce the problem?
(1) Go to https://killer-marmot.appspot.com/web/
(2) Install this app and open the installed app window.
(3) Click "Fork me on GitHub".

What is the expected result?
The PWA app window navigates to GitHub, but because this is out of the app manifest's scope, a pseudo-location bar or "Chrome Custom Tab" (as it's called in Android) UI shows at the top of the window, indicating the origin of GitHub.

Note: If you install a non-PWA (Bookmark App, using Create Shortcut), you actually do get the desired behaviour, but the UI is ugly and needs a rework.

What happens instead?
GitHub opens in a new browser tab.

Bonus problem:

From the same app:
(3) Click "Post!" under "POST-and-redirect".

After 3 seconds, it redirects back automatically.

The expected behaviour is that the out-of-scope site https://redirectonpost.appspot.com appears in the same window in a CCT, then redirects back to Killer Marmot, hiding the CCT UI.

The observed behaviour is that the out-of-scope site https://redirectonpost.appspot.com appears in a new browser tab, and then redirects back to Killer Marmot, resulting in a duplicate Killer Marmot page in a browser tab. This is typical of off-site authentication flows.

Note: The current behaviour is actually mandated by the Manifest spec. This is a problem. We are working on a (breaking) change to the spec, at https://github.com/w3c/manifest/issues/646. In the mean time, Chrome will be intervening here because the broken auth flow is unacceptable, and we've already intervened on Android.