Pass X-Forwarded-Proto if present or $scheme

Rack::Protection::HttpOrigin is checking if the origin url (including the scheme) matches base url

https://github.com/sinatra/sinatra/blob/b801c6b76b89eb071e2b01700273054bbe8aae05/rack-protection/lib/rack/protection/http_origin.rb#L33