Visualforce Tab not working after Allow CSRF Protection on GET Requests for Visualforce Page - Answers - Salesforce Trailblazer Community
Trailblazer Community
Ask Search:
Ling WeiLing Wei 

Visualforce Tab not working after Allow CSRF Protection on GET Requests for Visualforce Page

Hi All,

I have faced an issue that after I enable "Require CSRF protection on GET requests" for a Visualforce Page, the visualforce tab using that page is no longer working. 

The error I get when I click on the tab is the following:
The link you followed isn’t valid. This page requires a CSRF confirmation token. Report this error to your Salesforce administrator. 

Does not mean the visualforce tab is no longer supported by Salesforce after their critical update on Allow CSRF Protection on GET Requests? Is there a way of fixing this issue, or I just simply need to abandon visualforce tab and using other method to display visualforce page?

Anyone has idea on this?

Thanks in advance. 
Amit SinghAmit Singh
Hi Lina,

Why you enabled "Require CSRF protection on GET requests" is there any specific reason for the same? Are you using this page in Salesforce App development? Are you calling any controller action from VF page at the time of load of the Vf page?

Thanks,
Amit Singh
https://sfdcpanther.wordpress.com/
Ling WeiLing Wei
Hi Amit,

Not for any specific reason at the moment apart from for security. As this is a critical update, so I thought it is better to enable this for all the visualforce pages or that's not the case?   

Best regards,
Lina
Amit SinghAmit Singh
Lina,

If you are not pushing your VF page in an App then you do not need to use this checkbox. This is to provide and extra level of Security to your Application. So, you do not need to use this checkbox.

Thanks,
Amit Singh
Alex WalshAlex Walsh
Hi All,

If you are experiencing the following error:

"The link you followed isn’t valid. This page requires a CSRF confirmation token. Report this error to your Salesforce administrator."

This is because the Visualforce Page you are navigating to has the metadata checkbox turned on:
<confirmationTokenRequired>true</confirmationTokenRequired>

If you are looking to get your App Security Reviewed, you will need to enable these tokens for each Visualforce page you are navigating to through a web link.

We had a bit of a different pattern:
Our weblinks were created as <linkType>on click javascript</linkType>
To solve this, we have changed the <linkType> for all the web links that were "on click javascript" to:
<linkType>url</linkType>

Then in the <url> body we ensure we are generating "well-formed URLs" using URLFOR.