Cannot login or submit forms Trac onion site ('must use HTTPS to submit forms')

Attempting to login on the onion service for trac (http://ea5faa5po25cf7fb.onion) results in 'Error: Bad request. Missing or invalid form token. Secure cookies are enabled, you must use https to submit forms.'

The onion service doesn't work with HTTPS.

Trac:
Username: nido

added component::internal services/service - trac owner::qbi priority::medium reporter::nido severity::normal status::new type::defect labels

Not only login, but any form submitted, e.g. any custom query.

Trac:
Username: nido
Summary: Cannot login on Trac onion site ('must use HTTPS to submit forms') to Cannot login or submit forms Trac onion site ('must use HTTPS to submit forms')

Yes, this is expected, and not straightforward to fix.

Trac isn't written to be able to think of itself as multiple server names.

Also, it defends itself from having you use it over plain http, and it doesn't know about onion services so it doesn't know to maybe treat them differently.

The ultimate answer is probably to get an https cert for trac's onion service (which will be more straightforward once onion services are permitted to get DV https certs), and also to rewrite trac as needed so it can handle being multiple server names.

In the mean time, it's probably simplest to close this ticket as a "wontfix", in that we would welcome a trac rewrite but I can't imagine anybody is actually going to do it.

Error: Bad Request

Missing or invalid form token. Secure cookies are enabled, you must use https to submit forms.

trac 1.2.2

trac/web/main.py line 230 ~ 234:

                if self.env.secure_cookies and req.scheme == 'http':
                    msg = _('Secure cookies are enabled, you must '
                            'use https to submit forms.')
                else:
                    msg = _('Do you have cookies enabled?')

Remove or uncomment these might be the answer.

I tried to ask this question to trac mailling list but it's using google maillist. I don't want to connect to google.com.

Trac:
Reviewer: N/A to arma
Status: new to needs_review

No, I don't think that by itself will work -- we don't want to make the cookies insecure (i.e. make the browser willing to send them to http sites), so just changing how the server handles it when it receives a cookie won't be enough.

(making me a reviewer on a ticket does not mean that i am any more likely to review the ticket. in fact, it can mean the opposite.)

Trac:
Status: needs_review to new
Reviewer: arma to N/A

(It also means that no-one else will review the ticket.)

mentioned in issue #29444 (moved)