Which API got rejected? You mention two different APIs for opening a window. They might look much alike but are actually very different.
The high level API “sdk/windows” is for opening browser windows. It should be safe to pass any URL to this and I’d have thought it should pass review. That is the point of the API, to open browser windows with web pages in them.
The low level API 'sdk/window/utils" also has an open function. It is not safe for remote urls. It is for opening local content such as a preferences dialog. It would normally be passed an XUL file from a chrome:// address, probably a file bundled in the addon. I don’t use the SDK, but I didn’t think it was even possible to load an http:// address this way. openDialog() is the same thing, but allows some different options to control the behaviour of the window. Definitely wouldn’t pass review if a remote url was passed.
Incidentally, it is possible to open a window this way and load a web page into it, but you would do that in two steps: open the window and then call a function such as loadURI() to load the web page safely as content. The url which is loaded into such windows is “chrome://browser/content/browser.xul”, and this is a default value so if you pass a blank string you get a browser window. You should also be able to pass in certain special addresses such as “about:blank” to control how the browser window starts out.
So possibly your only problem first time around was using the low level API instead of the high level API, if I’m reading your timeline correctly?