While trying to get a CGI running under /ext this morning i came across a bit in the underlying framework which determines whether it should set the secure cookie property based on whether the client is using HTTP or HTTPS. Apache communicates that to scripts with the REQUEST_SCHEME environment variable by setting the value to "http" or "https" (or perhaps something more esoteric).

This branch:

https://fossil-scm.org/home/timeline?r=ext-request-scheme

Adds REQUEST_SCHEME to the /ext environment, but whether or not that's a genuinely great idea is in question. It's not a CGI-standard variable. Insofar as i can determine it's Apache-specific, but i'm unable to find another bit in the fossil-passed-on environment which can tell the script whether it's running under https or not.

This may end up being a moot point, anyway, because /ext CGIs cannot currently pass on any cookies, making the passing on of the affected (in my client script) cookie impossible.

:-?