+ Start a Discussion
sandeep@Salesforcesandeep@Salesforce 

"Require CSRF protection on GET requests" Means ?

Recently a new option is added on VF Page compiler in salesforce what does it mean? 

sfdcfoxsfdcfox
What it says on the tin. When this property is set, an unguessable token that is validated by Visualforce is required for the page to load. Genuine requests coming from the UI will have this token as a parameter, while forged (or non-UI initiated requests) will be missing this token, or will be an expired or invalid token.

The upside of this is that your page won't load if the user just types in the URL and/or clicks on a malicious link. You should consider using this attribute on any page that performs a DML operation as the page loads (via the action attribute on apex:page, or by an actionFunction called when the page loads, etc).

Consider the following page:

https://na1.salesforce.com/apex/deleteAccount?id=001000000083AzI

Assume this page deletes the account named by the ID, without user confirmation (perhaps because the confirmation would have come from a prior dialog box). Without CSRF protection, the account could be maliciously deleted by sending the user an email like this:

<img src="https://na1.salesforce.com/apex/deleteAccount?id=001000000083AzI" width="0" height="0"/>

Assuming the user was logged in to salesforce.com in the same application, and the user had rights to delete the account, the page would happily delete the account without them realizing it-- until someone noticed it was missing, possibly too late to restore it from the Recycle Bin.

Standard pages already require a CSRF token in order to operate. For example, deleting a custom field uses a URL like this:

https://na1.salesforce.com/setup/own/deleteredirect.jsp?retURL=%2Fp%2Fsetup%2Flayout%2FLayoutFieldList%3Ftype%3DAccount%26setupid%3DAccountFields%26retURL%3D%252Fui%252Fsetup%252FSetup%253Fsetupid%253DAccount&setupid=AccountFields&type=Account&delID=00N.......&_CONFIRMATIONTOKEN=....

As you can see, the _CONFIRMATIONTOKEN is appended, and this page won't process the request without this token. If you remove the token, you get the following error:

The attempted delete was invalid for your session. Please confirm your delete.
Delete

This prevents malicious attempts to delete a field, for example.

Your pages can leverage this same protection mechanism to make sure that the action isn't carried out without having a genuine request to perform the action.

You only need to enable this feature for pages that perform some irreversible or permanent change to the database as it loads. For example, record deletions, modifications to fields, and so on should all be protected by this mechanism.
Prabhjot Singh 27Prabhjot Singh 27
Hey sandeep / sfdcfox , we are  also enabling it and we are getting the error "The link you followed isn’t valid. This page requires a CSRF confirmation token" while we are  nevigating to vf page from javascript . 
Below code is used in many places in our sandbox . 
function callAlert(agid)
         {
          
            jQuery( "#dialog" ).dialog({
         modal: true,
         width: "30%",
         dialogClass: 'custom-ui-widget-header-warning',
         buttons: {
         Ok: function() {
           jQuery( this ).dialog( "close" );
           var win = window.open('/apex/DownloadCatClass?agid='+agid, '_blank');
           win.focus();
           //callNextPage(agid);
          
          
        }
         }
         }).prev(".ui-dialog-titlebar").css("background","#005596").css("color","white").css("text-align","center");
         }

Since this is used in many vf pages i don't want to change the design approach . What minimal changes i can do so that my nevigation workes . 
Thanks