Today I was playing with some web security, and there was a surprise when I decided to test the Forget the Password link on Facebook.
I chose to send the password reset code to my Gmail address, and right after that Facebook pops up with another window with a message telling that I don't have to worry about my password reset code as I am already logged into my Gmail account.
How can they do that?
I am guessing that it has something to do with the OpenID protocol, but shouldn't I have to allow it in order for Facebook to interact with my Gmail account?
In Account Settings, there's a "Linked Accounts" section where you can have Facebook automatically log in if you're logged in to one of your OpenID-enabled accounts on other sites. Maybe you forgot that you linked your Gmail account?
The OAuth tokens for Google are at https://accounts.google.com/b/0/IssuedAuthSubTokens (it's different from Linked Accounts).
When I tried it, Facebook created a popup with a OAuth prompt the first time and only briefly opened a blank popup on subsequent attempts. De-authorizing Facebook makes the prompts appear again.
Have you looked at your Google account to see if you gave Facebook permission to access your Google information?
It uses OpenID. If you've previously used OpenID to give Facebook access to your e-mail (such as to import your contacts to Facebook), then it'll try and do that. If you haven't done so, then you'd be presented with a prompt to give Facebook access (if you say no, then just go and actually wait for the password reset e-mail to get delivered to you).
This isn't the case. As mentioned, the only site that can access GMail cookies is GMail. I have just tested this exact method and (having never authorised before) the popup took me to a page on the accounts.google.com sub-domain asking me to authorise access for Facebook. This is exactly what I would expect and hope to happen.
It would appear the OP has previously authorised such an action, maybe through Google Buzz or similar?