Update: It is all solved by adding

fastcgi param SCRIPT_NAME ""
fastcgi param HTTPS "on"

to the web server config. I can get back to concreting the fence posts :)

Maybe I missed something, but HTTP_REFERER doesn't match against BASE_URL, so same_origin is always equal to 0. I set BASE_URL in the procedure wapp-before-dispatch-hook like this:

proc wapp-before-dispatch-hook {} {
 wapp-set-param BASE_URL https://ufko.org
 wapp-set-param HTTPS on
}

To reproduce, just click on the "env" link in the footer of the page https://ufko.org.

Also when BASE_URL is not set in wapp-before-dispatch-hook, HOST_NAME is always prepended with http:// not https:// even CGI variable HTTPS = on.

Edit: It looks like SCRIPT_NAME is later appended to BASE_URL, this is why it doesn't match, but I'm rewriting my urls from index.cgi to PATH_HEAD so my urls look like

https://ufko.org/env
not
https://ufko.org/index.cgi/env

I commented out line 670 in wapp.tcl

https://wapp.tcl.tk/home/file?ci=tip&name=wapp.tcl&ln=670

and it works now locally but anyways:

How is this solved by example at: https://sqlite.org/search?env=1