[JENKINS-21052] Warn user that the copy button requires HTTPS

[MarkEWaite]

JENKINS-21052 Warn user that copy button requires HTTPS

Users that run Jenkins over an unencrypted (HTTP) connection will see the copy button, but it does not perform a copy. Browsers will only allow access to the clipboard if the page is in a secure context.

With this change, the text that is displayed when the user clicks the copy button from an insecure context will alert the user that copy requires a secure connection.

https://stackoverflow.com/questions/400212/how-do-i-copy-to-the-clipboard-in-javascript describes the alternatives in more detail.

JENKINS-21052 reported that the copy button does not work. I've confirmed that it works when using an HTTPS connection.

Testing done

• Confirmed that the copy button now displays the "requires a secure context" when attempted with HTTP

Insecure context

• Confirmed that the copy button displays the expected text when used in in a secure context (HTTPS)

Secure context

No automated test because configuring an automated test in a secure context seems very complicated.

Proposed changelog entries

• Warn user that copy button requires HTTPS.

Proposed upgrade guidelines

N/A

Submitter checklist

• The Jira issue, if it exists, is well-described.
• The changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developers, depending on the change) and are in the imperative mood (see examples).
  • Fill in the Proposed upgrade guidelines section only if there are breaking changes or changes that may require extra steps from users during upgrade.
• There is automated testing or an explanation as to why this change has no tests.
• New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadocs, as appropriate.
• New deprecations are annotated with @Deprecated(since = "TODO") or @Deprecated(forRemoval = true, since = "TODO"), if applicable.
• New or substantially changed JavaScript is not defined inline and does not call eval to ease future introduction of Content Security Policy (CSP) directives (see documentation).
• For dependency updates, there are links to external changelogs and, if possible, full differentials.
• For new APIs and extension points, there is a link to at least one consumer.

Desired reviewers

Use a space suppressing diff to clearly see the added conditional for contexts that are not secure.

Maintainer checklist

Before the changes are marked as ready-for-merge:

• There are at least two (2) approvals for the pull request and no outstanding requests for change.
• Conversations in the pull request are over, or it is explicit that a reviewer is not blocking the change.
• Changelog entries in the pull request title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood.
• Proper changelog labels are set so that the changelog can be generated automatically.
• If the change needs additional upgrade steps from users, the upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the pull request title (see example).
• If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).

[timja]

likely doesn't affect much in the wild but may as well 👍, likely affects Jesse because he uses a non localhost url to avoid cookie clashes.

[NotMyFault]

/label ready-for-merge

---

This PR is now ready for merge. We will merge it after ~24 hours if there is no negative feedback.
Please see the merge process documentation for more information about the merge process.
Thanks!

[jtnord]

Caused JENKINS-70895 - some plugin automated tests fail because HTMLUnit does not recognize isSecureContext.