The CSRF functionality is a security functionality for HTTPs connections.
It is not the applications fault that people do not follow documentation (which is there in that order for over 2,5 years by now which says: install, configure web server, continue with first steps).
Any one installing Zammad from a third party documentation that does not include this step has “bad luck”. Sorry, but not our problem people seek other sources.
It’s not suggested to use Zammad via HTTP for (I guess) obvious reasons… right?
The documentation even explicitly mentions these CSRF token errors with a possible workaround if detection goes wrong (which is a web server issue btw):
https://docs.zammad.org/en/latest/getting-started/configure-webserver.html
Correct. Do you think this was done to bug people? The contrib file we provide is technically functioning on many installations. There are exclusions and I may re-visit it at some point to verify that this is still the way to do, but the way I’m being “asked” here is not how you motivate me to do things.
Little fun fact, $scheme works -without- any issues on over 1800 installations that I am aware of. Maybe that helps you to understand the scope.
That is not correct at all. Caching of the login page which is there several days until you login may be a situation this occurs too (that’s solvable by a simple reload and working as desired as of now). 99% of these problems are configuration issues.