- From: Anant Narayanan <anant@mozilla.com>
- Date: Wed, 14 Mar 2012 16:45:23 -0700
- To: public-media-capture@w3.org
On Mar 13, 2012, at 12:28 PM, Travis Leithead wrote:
> Note, there is no way to programmatically invoke the file picker API
> (<input type=file>) primarily due to security reasons; you don't want
> an attacker to pop that UI up having pre-configured it. Also, such a
> programmatic method lacks context. Most browsers added "popup blockers"
> because this type of programming was really annoying users :-)
>
> Note, browsers will allow "popups" when a user-action started the process
> under some circumstances (which assumes that there is context for the action).
>
> Programmatically activating the browser's camera UI via an API seems
> like a bad idea for similar reasons. I can see that this could be useful
> in a more trusted environment (like an app), but for an untrusted environment
> in a browser, I wouldn't endorse this approach.
That's a good point. Enforcing a check to see if the API call was made as a result of user action adds unnecessary complexity to the implementation.
> If you really need an API, input.click() is not what you want. What you _really_
> want is:
>
> input.onfilesavailable = function(e) { /* get the Files from e.target.files */ }
>
> Then just direct the user (via UI) to click on the input element, take a picture, and your
> code swoops in to process the File objects if you wish.
Ah, indeed. This is a good recommendation to make for web developers who want to get a picture without dealing with media streams.
Regards,
-Anant
Received on Wednesday, 14 March 2012 23:45:51 UTC