I am building an application which has requirements stating that all browser features must be disabled. (It's a test taking application and they are worried about security/cheating.)
I popup a new window so that I can make it fullscreen, disable the menu bar, tool bar etc. However Firefox still has two icons remaining that I can't figure out how to disable. The 'Page' icon and the 'Bookmark' star icon are still on even when I call window.open with location=no. Here is the window.open command:
window.open("filename", "test", "fullscreen=yes,status=no,toolbar=no,location=no,menu=no,directories=no,scrollbars=yes");
Is there anything I can do about this?
From the MDC documentation for window.open():
Mozilla and Firefox users can force new windows to always render the location bar by setting dom.disable_window_open_feature.location to true in about:config or in their user.js file
In Firefox 3, dom.disable_window_open_feature.location now defaults to true, forcing the presence of the Location Bar much like in IE7.
This was done to help thwart phishing exploits. You're better off (your users are better off) leaving it enabled, even if you have control over the machines on which the browser is running.
You should really be designing your application such that knowing or bookmarking the URL won't help would-be cheaters. For instance: don't accept an answer to a question when an answer has been previously submitted.
If you don't have control of the computer the user is taking the test on, there's nothing you can do (and opening a full screen window won't prevent cheating for savvy users, either).
If you do have control over the computer or can instruct the user to install an application, you'd be best suited by building an actual application with embedded WebKit or Gecko.
Related
I am wondering if there is any way I can open Chrome console when the webpage is firstly loaded and set the viewport to a specific device (iPhone X), through a JavaScript code.
I had to do a test where I should only work on iPhone X viewport so I thought was nice if they can already see the console opened with the interested viewport active so they are going to check straight away my work instead of clicking cmd+alt+j and then set toggle device toolbar
Thanks
I don't know this to be true, but I'm guessing that might not be possible because it would infringe on the sandboxing principles that Chrome tabs are based on. You are asking for system level control of the Chrome Browser UI, and there's a lot of effort put into not letting JS code do that because of malicious intent.
You could try using Electron to build an App that does this for you, however that may still have the sandbox boundary concern.
EDIT - You may also look into the Chrome extension architecture. It allows you to implement code outside of the sandbox boundaries. I'm not entirely hopeful that this would work, but it I do know that extensions allow you to control most of interface.
Summary
I'm developing an internal web application that contains the following link markup:
<a onclick="window.open('/path/to/my/new/page', 'windowname', 'fullscreen,resizable').focus(); return false;" href="/path/to/my/new/page">
Click here to open a fullscreen window.
</a>
The intent is for this to open a new full-screen window, which the user can then resize/close/move etc. However, under certain conditions the link actually opens what appears to be a kiosk-mode window (no titlebar, F11, Esc don't work to exit). To be clear, the page this link is located on is a normal user-started IE 11, Windows 7. We aren't experiencing this issue in Chrome 73, Windows 7, or Edge, Windows 10.
Additional Details
This launch link is working as intended when deployed to a development environment, whose URL looks something like https://mydevenv.local/mywebapp/ (intranet), but not when deployed to our production environment https://apps.ourproductiondomain.com/mywebapp/ (only accessible from our network). It wouldn't surprise me if our organization had site-specific settings for ourproductiondomain, but I have no clue where to start looking for a launch-in-kiosk-mode setting.
Using the IE dev tools, I edited the link and location and determined it seems to specifically launch in kiosk mode when the link is from ourproductiondomain to ourproductiondomain. Editing the link to https://google.com launches Google in regular full-screen mode as intended. Editing my markup into Google also opens my new page in regular full-screen mode as intended (with the link fully qualified to https://apps.ourproductiondomain.com/mywebapp/path/to/my/new/page).
Interestingly, changing the fullscreen to height=600,width=800 has a title bar and allows the user to control the window, but the buggy version has no address/location bar while the functional version does. Not a detail I care too much about, but it might help troubleshooting efforts.
The application is developed in ASP.NET MVC 5 but I don't think that matters since the rendered markup above is exactly the same in both deployments.
Question
Does anybody know what might be going on? If that's too broad a question, here's 2 narrow ones that I think might point me in the right direction:
How do you purposely and consistently launch a kiosk-mode window in IE 11 with JavaScript?
Where can you configure IE 11 with site-specific settings like "Make launched full-screen windows actually kiosk-mode windows"?
This sounds like a bug in IE. For security purposes, user scripts aren't supposed to be allowed to open windows in Kiosk Mode.
It does sound like there are some custom system settings in play here, although I wouldn't know where to find that setting.
A possible fix might be to explicitly specify that you want certain parts of the window frame to be visible:
window.open('/path/to/my/new/page', 'windowname', 'fullscreen,toolbar=yes,location=no,statusbar=yes,menubar=yes,scrollbars=yes,resizable=yes')
Also, I see that your original script uses .focus() directly on the newly created window. I don't think you need it, and feel like that might be what actually causes the bug in IE to be triggered.
Something that slightly bugs me about progressive web apps on the desktop is that they retain the browser chrome/frame when you "install" them/pin them to your desktop. I love that the menu bar, bookmarks, etc. are gone, since the point is to feel like a native app rather than something in my browser, but the frame feels like one last thing standing in the way of a truly native feel. For comparison, consider the "frameless window" concept from nw.js or Electron.
So is there any way, e.g. an option in the manifest.json file, to hide the frame as well?
My research indicates that the answer is currently "no", so I guess a followup question would be, has there been any discussion of it? Are there concerns preventing it, or has it just not come up at all? Any info would be great.
Edit: To be clearer, I don't mean simply launching in a separate window with its own icon, that's just what desktop installed PWAs are. I mean removing/hiding the title bar as well, with the app icon and name and the minimize/maximize/close buttons, plus the thin frame border that runs around the outside of the entire window. All this stuff:
What you're looking for is display in the manifest (see https://developer.mozilla.org/en-US/docs/Web/Manifest#display).
"display": "fullscreen" indicates you want to completely hide the browser chrome.
However, support of specific display modes varies between browsers and platforms.
For example Windows 10 (via Edge) only supports browser and standalone right now, with support for fullscreen and minimal-ui coming in Redstone 5.
Now there comes with a new mode: window-controls-overlay
see https://developer.mozilla.org/en-US/docs/Web/Manifest/display_override#values
See YouTube intro here: https://www.youtube.com/watch?v=tj0_4pcrj7s&t=1114s
And also: https://web.dev/window-controls-overlay
I have spent considerable time researching this and hopefully I have just missed something so I thought I would bounce it off the StackExchange community as well.
Background:
On latest Chrome > 65, all of the notifications are stores on a per-site basis, so if one were to grant or deny notification popup for a SITE and want to reverse that decision (accidentally clicked the "block" for example) they can simply go into Chrome notification settings, find that specific site, and remove the block. This works as designed today and is well documented.
So here is the issue detail in a scenario:
Now, that exact same mechanism is used for extensions. An extension is initially granted all it's required permissions and works properly. Then, the user accidentally clicks "block" one time on a single desktop notification from the extension using the "gears" cog-wheel icon on the notification which then changes the notify balloon to this prompt:
Now, any time that extension attempts to send a notify message, instead of the normal desktop notify, an ugly javascript notify pops up in the middle of the screen (with the exact same notify text), and two buttons - "OK" and "Cancel". All extension functionality is unchanged if "OK" is clicked for example, the very same functions fire as if the user had clicked the prior desktop notify balloon popup.
Here are two screenshots of this exact scenario using the popular Tampermonkey Chrome extension (using a randomly selected script with a known update) that uses desktop notification API to communicate script updates:
"Normal" desktop notify message with default grant permission:
The exact same message (appears in center of the screen) once that permission is revoked by user clicking "block". **Note the actual message itself is not blocked which I find odd, just the desktop notify GUI bubble:
So, the question is really 2-fold:
Where does Chrome store that boolean value of PermissionLevel FOR EXTENSIONS - as they do NOT appear in the normal list of granted/blocked SITES. If not in the UI, is this setting exposed in a configuration file or is there even currently any way in Chrome>65 for the user to ever reverse this decision?
Is there either a programmatic method that can be implemented by an extension developer on the back-end to ever check if this has occurred and re-prompt the user to change their mind and re-grant that permission? I have found a couple unofficial posts here saying common sense says no to avoid malicious harassing of users etc. but I cannot find anything official.
Well, I can confirm after opening this as an official Chromium bug, that it's sitting waiting for triage and clearly has no current workaround here:
https://bugs.chromium.org/p/chromium/issues/detail?id=825497
I also did further testing to determine you can use the ID from the extension and add it into "sites" settings which also based on that behavior, appears to be yet another bug due to some settings not saving, none having desired effect, etc.
I will post this as the current answer as of 04-09-2018:
"it is impossible to re-enable Chrome desktop notifications FOR A SPECIFIC EXTENSION once blocked".
If anyone can post here a successful workaround to in any way re-enable the normal desktop notifications for an extension (tested with Tampermonkey) after the user clicks the "block all notifications from this app" to simply reverse the decision that would be great but I think as long as this has remained unanswered makes me lean towards believing there simply is no current method and it is just a (glaring) UI bug.
Sadly the only method for reversing this is to remove the extension and re-install it.
This issue has been open for nearly half a year. Not expecting a fix any time soon at this point. https://bugs.chromium.org/p/chromium/issues/detail?id=825497
Please star this issue at the link above if you're affected by it.
I have an HTML quiz (it is designed in html+css, but calculated and animated in JavaScript). Therefore, it opens in browser by default (quiz.html). I want to make it open in for example Windows window or something different. Is it possible. Or some portable browser, and set up HTML file to open by it. How?
The problem is that browser environment (bookmarks, forward, refresh buttons) is visible, and I don't want that. I want it to open in its specific environment, because it will be placed on 20 computers with different browsers etc... I can install anything on those machines. Or is it maybe possible to set up my quiz.html file to open in some other unpopular browser with no so many buttons and details?
Like said in comment, you might try to open your page in a pop.
http://www.w3schools.com/jsref/met_win_open.asp
http://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_win_open
With the following code, I manage to get a popup without anything but the page and the address bar (on Firefox Potable).
window.open("http://www.w3schools.com","width=200,height=100",'directories=no,titlebar=no,toolbar=no,location=no,status=no,menubar=no,scrollbars=no,resizable=no');
You would still have the adress bar in Firefox, but this can be remove following this post:
Open new popup window without address bars in firefox & IE
If restricting your users to IE is ok then you want an HTML Application (*.HTA) which allows the hosting of HTML/Script in a standalone non-browser window which would seem to be ideal for your purposes.
MSDN ref.