1. 20

  2. 5

    For me the default behaviour without capture is better. I get to choose between taking a photo or selecting picture from gallery, which I find more useful.

    1. 7

      This is one of those leaky things that comes from the non semantic HTML world. Nothing prevents having a camera button as part of the normal file chooser. It makes no sense for the web page to have an opinion about camera vs not camera, that’s up to the user or at least user agent.

      1. 2

        I’m pretty sure that’s the behavior with capture. Without it, the take a photo option would be missing.

        1. 4

          Not for me (Firefox).

      2. 2

        they think that should be a security concern. I don’t agree.

        Strongly disagree. It is completely mixing the barriers between what belongs to the website and what does to the browser/user. And I definitely don’t want to accidentally click into that camera field and it gets what ever is in front of it.

        1. 11

          I originally had the same concern as you. However, I tried loading the example HTML on my phone, and I’m much less worried about security issues arising now.

          The input capture shows up as a standard “choose a file” button, at least on my browser (Chrome on Android). Then, when you click on it, you get something that very closely resembles a standard “choose a file” popup on Android: a list of recent video files, and a button to browse the rest of the filesystem. The one addition is a “camera” button, which presumably would allow you to record a video to a temporary file using the system camera app that would be given to the website upon closing the dialog. I say presumably because when I tried to click on the “camera” option, chrome crashed (hah!).

          So, all in all, this is really just adding a new option to the existing file chooser. I don’t think it adds any more security risk than the original file input option. I do think the original post could have explained its behavior better, so fewer people would have brought up security concerns. I’m also not sure if other browsers implement this in a less secure way.

          Edit: many people were still confused about the popup UI, so here’s a link to try it out yourself. https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/capture

          1. 6

            I once had something like what you describe except that I found it super-confusing that I actually had to grant the “camera” permission in order to get to pick a file instead.

            1. 4

              I tested several different permissions and kind of see what you’re talking about. Chrome only crashed when the camera permission was completely disabled. When it was set to ask every time, it behaved as expected. And when I set Chrome to always allow camera access, the file choosing button suddenly jumps straight into the camera view and doesn’t give me the option to select a file.

              What a bizarre choice by Chrome to have permissions affect the user interface.

            2. 2

              Yeah fair, it seems less problematic than the post made it sound to me. Although I’d rather select myself whether this is coming from my camera (which one?) or from my files. I generally don’t give camera access to my browser.

              1. 3

                I’d rather select myself whether this is coming from my camera (which one?) or from my files

                It actually does allow you to choose either camera or files [1]. And after you select a camera, the default camera app allows you to change the camera (front/back on my phone) to whatever you want.

                [1] screenshot: https://i.ibb.co/wzhw07t/Screenshot-20220909-123744-2.png

            3. 7

              You’ve always been able to ask the user to upload a file using an HTML input. The only thing that this article is pointing out is that now the spec supports letting the user choose a pre-existing file or use their system camera app to take a photo which they can then select as the file to upload.

              For example, in Slack I can tap the button to attach a file to a message, and it will let me choose an existing file, or let me take a picture and then choose that new picture as the file to attach. It is not possible, at least on iOS, to accidentally with a single click/tap irrevocably give Slack whatever my camera lens is seeing. I have to first decide to take a picture, and then select that picture as the file to upload.

              So if you’re going to complain about this, feel free, but please make sure you are doing so from a position of understanding the factual reality of how the feature works.

              1. 4

                You would have to accidentally click that camera field and then accidentally take a picture.

                1. 1

                  Javascript can probably take care of the first half.

                  Evil UX trickery the second half.

                  (then javascript can autosubmit to seal the deal)

                  1. 2

                    At least on iOS, you can’t JavaScript your way through this – when the picker pops up, it’s a system dialog and the system camera app. As far as I’m aware there simply are no APIs that would let malicious UI or JavaScript control or overlay those.

              2. 1

                they think that should be a security concern. I don’t agree.

                So it autoopens the camera. And if you happen to press the shutter button, you lose, as then javascript can take care of the rest.

                1. 7

                  it autoopens the camera

                  Only if you’ve already given your browser permission to use your camera – otherwise you have to intentionally choose camera in the browser popup.

                  if you happen to press the shutter button, you lose, as then javascript can take care of the rest.

                  Nope. Even if you’ve already given your browser permission for the camera, you first have to click the “open a file” button. Then you have to click the shutter button. And then you have to click a confirm button. (Caveat: this is on Chrome on Android. Other browsers may implement it differently.)

                  1. 4

                    Same on iOS, lots of confirmation steps so you’d have to be pretty drunk to do this by accident.