[2.x] Disable the copy button in insecure contexts

[keerthi-swarna]

Parent Issue Link: #1259

Description

Currently, the copy button in JupyterLab's interface (in the jupyter-ai extension) does not work when the JupyterLab server is served over HTTP (insecure context). Clipboard functionality requires a secure context (HTTPS or localhost). When the page is served via HTTP, copying from the clipboard is disabled.

This can cause confusion for users, as they may expect the copy button to function even in insecure contexts. To prevent this issue from affecting users, it would be helpful to disable the copy button when the JupyterLab environment is served via HTTP and provide a tooltip indicating that copying to the clipboard requires a secure context.

Reproduce

1.Launch JupyterLab (version 4.3.5) in an insecure context (over HTTP, not HTTPS).
2.Open a notebook or chat with cells containing information that can be copied.
3.Observe that the Copy button appears to be clickable, but it doesn't perform any action when clicked.
4.Try copying content and pasting it into an external document (e.g., Markdown file) and observe that it doesn't work.
5.Check that the copy button is still active (not grayed out or disabled), even though clipboard access is blocked in an insecure context.

Output

268.89677276b0cf81d3f244.js?v=89677276b0cf81d3f244:1 Failed to copy text: TypeError: Cannot read properties of undefined (reading 'writeText') at 268.89677276b0cf81d3f244.js?v=89677276b0cf81d3f244:1:19034 at onClick (268.89677276b0cf81d3f244.js?v=89677276b0cf81d3f244:1:21661)

Proposed solution:

• Disable the copy button in insecure contexts (HTTP).
• Display a tooltip on hover for the disabled button that reads: "Copying to clipboard requires a secure context, which requires HTTPS if not on localhost."

Expected behavior

• When JupyterLab is served over HTTP (insecure context), the copy button should be disabled.
• The disabled copy button should have a tooltip that reads: "Copying to clipboard requires a secure context, which requires HTTPS if not on localhost."
• In secure contexts (served over HTTPS or localhost), the copy button should remain enabled and functional.

[wkvolkman]

Don't forget to permit "localhost" for http connections.

[dlqqq]

@keerthi-swarna We can detect when the browser is detecting an insecure context really easily just by asserting the presence of navigator.clipboard:

function isInsecureContext() {
  return navigator.clipboard === undefined;
}

@wkvolkman This will use the browser's settings, so Jupyter AI won't add any additional restrictions that may forbid usage on localhost.

[donghokimm]

how about this?

function isInsecureContext() {
  return !window.isSecureContext;
}