This appears to be a feature... really. I looked at the URL you are calling into the popup - it's presumably not your server. Think about it, what chaos could ensue if any popup could redirect it's opener.
I had the same problem with a site where my popup has the https protocol being opened from the same server on regular http protocol... flagged errors and wouldn't work. My solution doesn't apply here, I had control of both servers.
I'm going to suggest that you use a frameset. Have paypal come up in the main content area and any control/manipulation you do , have that in another frame. Main thing, you want the URL you put in that window.open command to be the same server/protocol as the page it's in.