How to capture image with html5 webcam without security prompt

Question

I need to capture image from web page without security warning.

enter image description here

Page where i need webcam functionality can not be switched to https protocol. I've installed root certificates and made them trusted. I tried to insert iframe (which pointed to secure protocol https://mysecurepage.com) inside page (http://mypage.com), but not worked.

Do you control the browsers or how they are run (like your page is functioning as a kiosk)? Ideally, what you are describing is *exactly the kind of behavior* that should be desired in a web browser, unless the *user or owner of the browser* specifically tells the browser otherwise. — JayC, May 20 '13 at 05:08
Our customer is a big organization and we can ask system administrators to "make something" with client computers — Didar Burmaganov, May 20 '13 at 05:12
But you don't know which browser would be used, or you want to be flexible about browser choice... I can understand the latter desire, but, really, I don't see this as anything other than a browser configuration issue (if it can be done at all, which one would *should* be possible in some browsers). I've been looking around for the past 5 minutes to see if there's any specifications anywhere about what ought and ought not to be done but I haven't found anything yet. The best source probably is to look at each and every browser you might use and see what security overrides can be specified. — JayC, May 20 '13 at 05:27
I personally hope you do not find a solution to this problem, this security measure is to prevent this exact functionality. — JP Silvashy, May 20 '13 at 05:57
@Didar Burmaganov please specify the situation in which this will be used. — bjelli, May 20 '13 at 15:07
@bjelli we making web system for organization, we can control which browser clients using and also we can tell what additional software must be installed. Our application is written for Chrome. — Didar Burmaganov, May 22 '13 at 04:10
thanks, that helps on the tehcnical side. but WHY you want to capture video with the camera WITHOUT the users consent? — bjelli, May 22 '13 at 11:04
May be there is a way to hide that message via chrome extension? — Didar Burmaganov, May 23 '13 at 04:09
@all i think it is impossible now, so i decided to use old flash and it just works... — Didar Burmaganov, May 27 '13 at 11:01

score 2 · Accepted Answer · answered Sep 20 '13 at 01:35

@bjelli is correct - this is a major security flaw for any internet content. Just imagine if you could go to a website which would start taking photos/recording everything going on without any permissions or notifications!

However, I am working on an intranet project where disabling the prompt would be quite safe. If you are in this sort of position - there is one thing you can do;

Google Chrome Policies

If you are deploying the browser, you can override the security prompt for sites you specify. I don't know if you are working in such an environment, but this is the only way you can avoid the prompt all together. Similar things probably would apply for other browsers too.

Yes, project is inside intranet and we can configure clients' computers. — Didar Burmaganov, Sep 21 '13 at 08:20

bjelli · Answer 2 · 2013-05-20T05:53:13.053

As defined in http://www.w3.org/TR/mediacapture-streams/

When the getUserMedia() method is called, the user agent MUST run the following
steps:

[9 steps omitted] 

Prompt the user in a user agent specific manner for permission to provide the
entry script's origin with a MediaStream object representing a media stream.

[...]

If the user grants permission to use local recording devices, user agents are
encouraged to include a prominent indicator that the devices are "hot" (i.e. an
"on-air" or "recording" indicator).

If the user denies permission, jump to the step labeled failure below. If the
user never responds, this algorithm stalls on this step.

If a browser does not behave as described here it is a serious security problem. If you find a way of making a browser skip the "permission" you have found a security problem.

What do you do if you find a security problem?

Report it IMMEDIATELY! Wikipedia: Vulnerability Disclosure

Firefox: http://www.mozilla.org/security/#For_Developers
Internet Explorer: http://technet.microsoft.com/en-us/security/ff852094.aspx
Safari: https://ssl.apple.com/support/security/
Chrome: http://www.google.com/about/appsecurity/
Opera: http://www.opera.com/security/policy

This is not just a question of technical possibilities, it's also a question of professional ethics: what kind of job would I not take on? should I be loyal to my customer or should I think of the welfare of the public? when do I just follow orders, when do I stop bad stuff from happening, when do I blow the whistle?

Here are some starting points for computing professionals to think about the ethics of their work:

There comes some situations where a *browser really isn't functioning as a browser* though, it's just a convenient display vehicle of restricted content... and that's when the normal security considerations may go out the window. I would assume that the OP's needs are specific for particular people; It could be something as silly as using HTML5 for ATMs or something. You aren't going to want a security prompt for ATMs to take your picture; that should be automatic. — JayC, May 20 '13 at 13:49
yes, there might be such situations. i'll ask the OP - if he doesnt clarify I am wary of helping him. — bjelli, May 20 '13 at 15:08

How to capture image with html5 webcam without security prompt

2 Answers2