0

I'm developing a little web applications and I need the user to be in fullscreen to use some features. I'd like to be sure (in the backend) that the client does enable fullscreen. As everybody know we cannot trust what happens in the browser; is there any other way I can be sure the user enables the fullscreen mode?

UDPATE The feature is the following: I wanna provide an online test feature and I wanna be sure that every user taking the test uses the app in fullscreen to add some layer of security against cheating.

thelicato
  • 11
  • 4
  • 1
    Does this answer your question? [Detecting if a browser is in full screen mode](https://stackoverflow.com/questions/1047319/detecting-if-a-browser-is-in-full-screen-mode) – Nico Haase May 28 '20 at 13:52
  • Ultimately, no. Your backend has no direct access to the frontend, it can only know what the frontend voluntarily reports to it. Worst case the user will use a packet sniffer to alter the information the frontend sends to the backend to lie about being in full screen… – deceze May 28 '20 at 13:53
  • Could you explain in more detail? Are you trying to prevent the user from being able to see other resources while in your fullscreen app or is it just that these features only make sense while in fullscreen? There is the [fullscreen](https://developer.mozilla.org/en-US/docs/Web/CSS/:fullscreen) pseudo selector that might help if you just want styling differences. – zero298 May 28 '20 at 13:53
  • I need a way to be sure in the **backend** that the user in the **frontend** enabled the fullscreen mode to prevent the user from cheating. – thelicato May 28 '20 at 14:16
  • 2
    Then you're SOL, sorry. – deceze May 28 '20 at 14:18
  • Tha's sad. Is there some other solution rather than JavaScript? – thelicato May 28 '20 at 14:29
  • Again, your backend only knows what the frontend sends it. Anyone can send anything at any time from anywhere to your backend. You have absolutely no guarantee that any of it is trustworthy. The first lessen about servers is that the client can never be trusted. – deceze May 28 '20 at 14:30
  • "sad" is the wrong way to look at it. It's what makes the web as flexible and accessible as it is. There will ***always*** be a way to circumvent a counter-measure like this anyway (running in a virtual machine jumps to my mind). – zero298 May 28 '20 at 14:37
  • @deceze Yep, I know. That's why I made this question. I was hoping someone came up with a smart solution, probably I need to add some other kind of anti-cheating layer. – thelicato May 28 '20 at 14:43
  • @zero298 The virtual machine counter-measure is pretty smart; it was not a cheating-solution I thought about before you mentioned it. – thelicato May 28 '20 at 14:44
  • I'm not really sure what kind of cheating you could prevent here exactly… A test where you're not allowed to look at Wikipedia? Don't people have more than one screen these days? – deceze May 28 '20 at 14:46
  • @deceze Not everyone has more than one screen. Of course a webapp that applies only this anti-cheating practice is useless, even though I think that adding also this feature, alongside with others, could be of help. I mean, it is not the solution but I don't think it is useless – thelicato May 28 '20 at 14:51
  • I mean, none of this is going to be 100%. You can use the Javascript API to detect fullscreen and send that information to the backend. It's entirely circumventable in several ways, but you'll catch the technically inept… – deceze May 28 '20 at 14:53
  • @deceze Yep, with the inept I can just send the document.fullscreenElement to the backend. I think I need to enforce/add other anti-cheating features to be "sure" (I know you can never be) that the user does not cheat. Thank you – thelicato May 28 '20 at 14:56

0 Answers0