I'm migrating a site from Plone 5.2 to 6.0.4. I was able to run the main Plone migration but when I tried to run the upgrade steps for package profiles in portal_setup they failed silently. I was able to confirm this is because no authenticator form field is being passed. I do have plone.protect==5.0.0 in the venv so I'm not sure why these aren't being automatically to Plone or ZMI forms. I don't have a problem with a new site created on the same ZODB, just the migrated one.
To be clear, there's no failed request to get the protect.js - I can see in the source code it's not requested at all.
You can try temporarily disabling CSRF protection by setting the PLONE_CSRF_DISABLED environment variable to true, in order to run the upgrade steps, in case there is some upgrade step that makes a change which fixes the problem.
Thanks, I was able to figure it out from this. The problem was that I had a theme for this site that was not in the venv. This caused an error which presumably led to plone.protect's traversal failing - even in the ZMI. This is a slight gotcha because the error only shows up in the logs, while the page returns a 200.
The solution was to set PLONE_CSRF_DISABLED in the zope.conf, restart, and set the site's theme to anything valid. Then I was able to remove the PLONE_CSRF_DISABLED env var and do business as usual.