Do something about the clipboard on insecure domains and Firefox

[code-asher]

Current workarounds:

On Firefox you can use middle-mouse click or shift+insert (possibly depends on your OS). Pasting with the right-click menu will not work on Firefox but you can press shift+right click to get the native context menu and use that to paste. ctrl+v will work in the editor but not the terminal.

On Chrome ctrl+shift+v should work in the terminal and ctrl+v should work in the editor. If you use Chrome over a secure domain and accept the clipboard prompt then the right click menu to paste will work for the terminal but not the editor.

---

Summary:

Currently only native paste or the clipboard API will work so there are certain cases where pasting will not work with the keybinding you'd expect (ctrl+shift+v in the terminal) or with the right-click menu (see my comments below for details).

---

Original post:

Currently if you try to copy on an insecure domain you get "cannot read property writeText of undefined` because it's trying to access the clipboard which is undefined in insecure contexts.

We could fall back to copying using document.execCommand("copy") which I think is what the editor does. That seems to work fine.

For paste I believe the editor listens to the native paste command. That's not an option for the terminal because it requires we use the native keybinding (ctrl+v) and that has a different function in the terminal.

I've experimented with document.execCommand("paste") in the past but it didn't work so I assume this is why VS Code didn't use it here although perhaps more research is warranted here. That means our only option is the browser clipboard API which is only available in secure contexts.

Having only copy but not paste available on the terminal doesn't seem like a good solution so I think our best bet is to detect when the context is insecure and display a message describing the need to use https.

Service workers don't work in an insecure context either so maybe it would be a good idea to display a message when the browser loads as well just so people are aware they're accessing code-server in an insecure way and that things might be broken (as well as just generally dangerous).

While we're at it we could also implement the editor paste command using the clipboard API which would resolve #1105.

[sr229]

document.copyText() seems to be the only way we can support HTTP clipboard access but I'm not really certain if WHATWG will still keep it up, and that'll be bad for localhost dev if they decide to axe it.

[code-asher]

We can work around copying, it's the pasting that's a problem. :(

[frank-dspeed]

why is it so hard to generate a self signed cert for general development use and allow that in the browser via import? You do that once you can reuse the certs for your own dev projects always and its done where is the problem=?

[sr229]

Not everyone has the expense to do that, please consider those implications and never assume people to do one thing and do it correctly. This is not open for debate per se.

[easychen]

why is it so hard to generate a self signed cert for general development use and allow that in the browser via import? You do that once you can reuse the certs for your own dev projects always and its done where is the problem=?

Well, some cloud platforms set certificate as enterprise version paid function, so some personal small projects have no way to enable https.

[frank-dspeed]

@easychen show me a link to such a offer. In general you can always get public signed certs from letsencrypt and private once for your company via any PC in that company

[frank-dspeed]

@easychen to make my point clear if your using http + auth or without it does not matter your working with clear text over many hops this is not acceptable in 2019 as you expose everything over the line.

Even More Clear

A Login / JWT Token in the http Header of every Request in Clear Text is like Opening it for the Internet. A Cookie makes not much diffrence

[oldrichsmejkal]

Is it really so hard to make copy-paste working in terminal even on not trusted connections?

Is confusing error message: "cannot read property writeText" really better than making it work (maybe with some warning about the certificate issue)?

It works in Jupyterlab terminal for example..
When you check number of issues related to this problem, you see that this is quite common/serious thing which kills usability for quite a number of people...

[easychen]

@easychen show me a link to such a offer. In general you can always get public signed certs from letsencrypt and private once for your company via any PC in that company

it's not the fee for the certs self , it's for uploading certs to your apps.
it's a PaaS platform such as Google App Engine so you can't config Apache/Nginx your self ...

https://www.sinacloud.com/index/price.html

@easychen to make my point clear if your using http + auth or without it does not matter your working with clear text over many hops this is not acceptable in 2019 as you expose everything over the line.

Even More Clear

A Login / JWT Token in the http Header of every Request in Clear Text is like Opening it for the Internet. A Cookie makes not much diffrence

We DO login via https, but just use this for temp online sandbox under a separate subdomain for every users.

And not all cloud platform has api to upload the certs ...

[code-asher]

If we really need to make the clipboard work on insecure domains the only thing we can do is allow the native keybindings through and listen to the paste event (as far as I'm aware; happy to be proven wrong though).

As long as the browser supports Ctrl+Shift+V for pasting then that will work since we can't use Ctrl/Cmd+v.

Chrome supports Ctrl+Shift+V everywhere while Firefox only supports it for contenteditable=true elements so that would have to be taken into consideration. I don't know about Safari.

Also note you can use Shift+Insert although this might depend on your OS.

This is probably a change that should be made upstream, though, rather than patched in code-server.

It would be wise to use SSL even for a temporary sandbox though, right?

[easychen]

It would be wise to use SSL even for a temporary sandbox though, right?

We will when possible, it's not a tech problem but a financial one. Version 1 is good enough for us, great thanks for your excellent work.

---

For the pasting problem, I see it works ( cmd+v ) under insecurity domain, maybe I missing something?

code-server
Version: 1.39.2
Commit: d81d5f499f09bc887db2fb9bb35e0222bf48d80c
Date: 2019-10-24T21:52:45.195Z
Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36

[code-asher]

My guess is that cmd+v has no assignment in VS Code for the terminal (I thought it did but I must have been wrong) which allows it to perform a native paste instead. You could check by searching for "cmd+v" in the keyboard shortcuts.

That actually presents an interesting workaround. If you're using Chrome and Ctrl+Shift+V doesn't work you can open the keyboard shortcuts and assign the terminal paste keybinding to something obscure you won't use which allows Ctrl+Shift+V to perform a native paste instead.

[easychen]

My guess is that cmd+v has no assignment in VS Code for the terminal (I thought it did but I must have been wrong) which allows it to perform a native paste instead. You could check by searching for "cmd+v" in the keyboard shortcuts.

You are right. So it seems pasting is not a problem now …

[code-asher]

Neat! So for anyone else having the problem, currently the workaround is to search in the keyboard shortcuts for "workbench.action.terminal.paste" then remove the keybinding (Delete or right-click and click Remove Keybinding).

The long-term plan: when the clipboard API isn't available, don't bind those keys.

[frank-dspeed]

this is also the case in upstream microsoft/vscode#83595, microsoft/vscode#83598

[sr229]

We'll wait for upstream fix and see what we can do.

[code-asher]

Another note about this on Firefox. Firefox doesn't support the clipboard API at all apparently (at least not on websites) and it also doesn't bind Ctrl+Shift+V so the above workaround doesn't work. The only solution as far as I can tell is to use contenteditable=true on Firefox which makes Ctrl+Shift+V work.

So there's currently no workaround for Firefox and it won't work even in a secure context.

[code-asher]

Oh actually as previously mentioned Shift+Insert is a workaround.

[frank-dspeed]

@code-asher the problem even exist in theia

[ViRb3]

Another workaround for Firefox: Shift + Right-click opens the context menu, and you can simply click paste. Middle-click did not work for me.

[nhooyr]

From #1725

I think the move will be to always show the paste option but when it's clicked display a message describing why it won't work and possible solutions (i.e. switch to Chrome).

@LindsayWeir Not sure why it doesn't work on iPad, maybe the clipboard API isn't implemented there. We should show a message there as well @code-asher

[hgw77]

I was updating from 3.2.0 to 3.4.1. When I use shift + right click I see now a different native context menu where I can bookmark or save the content. But no paste option is on that context menu. I guess on the older version the terminal was kind of textarea where the context menu shows me copy and paste option? So for me it is not possible to paste any content to the terminal :-(

[Heath123]

Is this just on Firefox? What about using the native context menu adding the VS Code ones with this? It would be slightly more cluttered and wouldn't fit the VS Code theme, but I think that's worth it (or it could be optional).

[Heath123]

How it would look (for the terminal context menu items):

[hgw77]

yes it is only a problem with firefox, on chrome it works very well. If I use the shift + righ click now it looks like the screenshot below. As you can see, there is no chance to paste anything.....

[Heath123]

yes it is only a problem with firefox, on chrome it works very well. If I use the shift + righ click now it looks like the screenshot below. As you can see, there is no chance to paste anything.....

You have to right click in the actual terminal, it looks like you're right-clicking on the right-click menu

[hgw77]

that was a fast answer ;-)

I click on the terminal and select a text with shift + left click and than I use shift + right click to open the context menu. As you can see now the native context menu is rendered above the terminal context menu, that happens somtimes.

[ohadbenita]

I have the same issue with Chrome, what's the workaround for it?

[pcgeek86]

SHIFT + INSERT works with Firefox on Windows 10 version 2004

[AlCalzone]

Can confirm, shift + insert also works for me in Firefox on Windows 7.

[tidux]

Looking at Mozilla's developer documentation this seems related to an experimental Blink-only feature "ClipboardItem."

https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API

[noverby]

I found a workaround for Firefox!

Just set dom.events.testing.asyncClipboard to true.

[Miguelklappes]

I found a workaround for Firefox!

Just set dom.events.testing.asyncClipboard to true.

THANK YOU SO MUCH!

[noverby]

@Miguelklappes If you are not being sarcastic, why did you give my comment a thumbs down?

[Miguelklappes]

@Miguelklappes If you are not being sarcastic, why did you give my comment a thumbs down?

By mistake!! I wasn't being sarcastic haha

[hgw77]

hey it seems something changed? with the latest FF version (and Codeserver Version 3.10.1) I can copy paste (CTRL+C, CTRL+V)in the terminal? I am totally surprised ;-)

[jsjoeio]

Oh really? Maybe something got fixed upstream. Thanks for the note @hgw77 😄

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no activity occurs in the next 5 days.