Allow CSRF Protection on GET Requests to Visualforce Pages Critical Update Postponed

This critical update, released in Spring ’17, was scheduled for auto-activation in Summer ’17, but has been postponed to October 15, 2017. This critical update gives you the option of ensuring that Visualforce pages receive a CSRF token with a GET request.

While creating a Visualforce page in Setup, you can select Require CSRF Protection on GET requests. This option gives your Visualforce page an extra layer of security that guards against cross-site request forgery (CSRF). Previously, this option only had an effect when applied to Visualforce pages used for delete action overrides. Although you can enable CSRF protection on any Visualforce page, this critical update does not enable protection on every page.

When this option is enabled for a Visualforce page, you can’t access that page by entering its URL—/apex/PageName—and plain links to that page using <a> tags don’t work.

Plain links from a page with CSRF checks work, but links to the page do not. For example, if your page has the name PageName, the link <a href="/apex/PageName">Link</a> doesn’t work. Instead, use the URLFOR() formula function, the $Page global variable, or the apex:outputLink component.

<apex:outputLink value="/apex/PageName">Link using apex:outputlink</apex:outputlink>
<a href="{!$Page.PageName}">Link using $Page</a>
<a href="{!URLFOR($Page.PageName)}">Link using URLFOR()</a>
CSRF checks on GET requests also affect how Visualforce pages are referenced from Apex controllers. Methods that return the URL of CSRF-protected pages for the purpose of navigation don’t work:
public String getPage(){
  return '/apex/PageName'; 
}
Instead, use methods that return a reference to the Visualforce page instead of the URL directly.
public class customController {
    public PageReference getPage() {
    return new PageReference('/apex/PageName'); 
  }

  public PageReference getPage1() {
    return Page.PageName; 
  }
}

When you use one of these methods to link to a page, Visualforce adds the required CSRF token to the URL. These are the preferred methods for linking to Visualforce pages, regardless of whether CSRF protection is enabled for the page. These are the only methods available for adding a CSRF token to a URL for a Visualforce page.

Test This Critical Update

This update will be enabled everywhere on the auto-activation date. We recommend that you test your Visualforce code in a Developer Edition org before and verify that links to all your Visualforce pages using CSRF protection still work. If you must work in your production org, do so during off-peak hours.

To activate this critical update:
  1. From Setup, enter Critical Updates in the Quick Find box, and then select Critical Updates.
  2. Click Activate for Allow CSRF Protection on GET Requests to Visualforce Pages.
  3. Test links to Visualforce pages that have CSRF protection on GET requests enabled.