Do something about the clipboard on insecure domains and Firefox

[code-asher]

Current workarounds:

On Firefox you can use middle-mouse click or shift+insert (possibly depends on your OS). Pasting with the right-click menu will not work on Firefox but you can press shift+right click to get the native context menu and use that to paste. ctrl+v will work in the editor but not the terminal.

On Chrome ctrl+shift+v should work in the terminal and ctrl+v should work in the editor. If you use Chrome over a secure domain and accept the clipboard prompt then the right click menu to paste will work for the terminal but not the editor.

---

Summary:

Currently only native paste or the clipboard API will work so there are certain cases where pasting will not work with the keybinding you'd expect (ctrl+shift+v in the terminal) or with the right-click menu (see my comments below for details).

---

Original post:

Currently if you try to copy on an insecure domain you get "cannot read property writeText of undefined` because it's trying to access the clipboard which is undefined in insecure contexts.

We could fall back to copying using document.execCommand("copy") which I think is what the editor does. That seems to work fine.

For paste I believe the editor listens to the native paste command. That's not an option for the terminal because it requires we use the native keybinding (ctrl+v) and that has a different function in the terminal.

I've experimented with document.execCommand("paste") in the past but it didn't work so I assume this is why VS Code didn't use it here although perhaps more research is warranted here. That means our only option is the browser clipboard API which is only available in secure contexts.

Having only copy but not paste available on the terminal doesn't seem like a good solution so I think our best bet is to detect when the context is insecure and display a message describing the need to use https.

Service workers don't work in an insecure context either so maybe it would be a good idea to display a message when the browser loads as well just so people are aware they're accessing code-server in an insecure way and that things might be broken (as well as just generally dangerous).

While we're at it we could also implement the editor paste command using the clipboard API which would resolve #1105.

[sr229]

document.copyText() seems to be the only way we can support HTTP clipboard access but I'm not really certain if WHATWG will still keep it up, and that'll be bad for localhost dev if they decide to axe it.

[code-asher]

We can work around copying, it's the pasting that's a problem. :(

[frank-dspeed]

why is it so hard to generate a self signed cert for general development use and allow that in the browser via import? You do that once you can reuse the certs for your own dev projects always and its done where is the problem=?

[sr229]

Not everyone has the expense to do that, please consider those implications and never assume people to do one thing and do it correctly. This is not open for debate per se.

[easychen]

why is it so hard to generate a self signed cert for general development use and allow that in the browser via import? You do that once you can reuse the certs for your own dev projects always and its done where is the problem=?

Well, some cloud platforms set certificate as enterprise version paid function, so some personal small projects have no way to enable https.

[frank-dspeed]

@easychen show me a link to such a offer. In general you can always get public signed certs from letsencrypt and private once for your company via any PC in that company

[frank-dspeed]

@easychen to make my point clear if your using http + auth or without it does not matter your working with clear text over many hops this is not acceptable in 2019 as you expose everything over the line.

Even More Clear

A Login / JWT Token in the http Header of every Request in Clear Text is like Opening it for the Internet. A Cookie makes not much diffrence

[oldrichsmejkal]

Is it really so hard to make copy-paste working in terminal even on not trusted connections?

Is confusing error message: "cannot read property writeText" really better than making it work (maybe with some warning about the certificate issue)?

It works in Jupyterlab terminal for example..
When you check number of issues related to this problem, you see that this is quite common/serious thing which kills usability for quite a number of people...

[easychen]

@easychen show me a link to such a offer. In general you can always get public signed certs from letsencrypt and private once for your company via any PC in that company

it's not the fee for the certs self , it's for uploading certs to your apps.
it's a PaaS platform such as Google App Engine so you can't config Apache/Nginx your self ...

https://www.sinacloud.com/index/price.html

@easychen to make my point clear if your using http + auth or without it does not matter your working with clear text over many hops this is not acceptable in 2019 as you expose everything over the line.

Even More Clear

A Login / JWT Token in the http Header of every Request in Clear Text is like Opening it for the Internet. A Cookie makes not much diffrence

We DO login via https, but just use this for temp online sandbox under a separate subdomain for every users.

And not all cloud platform has api to upload the certs ...

[code-asher]

If we really need to make the clipboard work on insecure domains the only thing we can do is allow the native keybindings through and listen to the paste event (as far as I'm aware; happy to be proven wrong though).

As long as the browser supports Ctrl+Shift+V for pasting then that will work since we can't use Ctrl/Cmd+v.

Chrome supports Ctrl+Shift+V everywhere while Firefox only supports it for contenteditable=true elements so that would have to be taken into consideration. I don't know about Safari.

Also note you can use Shift+Insert although this might depend on your OS.

This is probably a change that should be made upstream, though, rather than patched in code-server.

It would be wise to use SSL even for a temporary sandbox though, right?

[easychen]

It would be wise to use SSL even for a temporary sandbox though, right?

We will when possible, it's not a tech problem but a financial one. Version 1 is good enough for us, great thanks for your excellent work.

---

For the pasting problem, I see it works ( cmd+v ) under insecurity domain, maybe I missing something?

code-server
Version: 1.39.2
Commit: d81d5f499f09bc887db2fb9bb35e0222bf48d80c
Date: 2019-10-24T21:52:45.195Z
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36