[SalesForce] The link you followed isn’t valid. This page requires a CSRF confirmation token

Whenever I enable Require CSRF protection on GET requests checkbox,it always display the below message:

The link you followed isn’t valid. This page requires a CSRF
confirmation token. Report this error to your Salesforce
administrator.

I have gone through Couple of Links and Trailhead to understand the purpose of CSRF and how to avoid it.

Cross-Site Request Forgery (CSRF)

Prevent Cross-Site Request Forgery (CSRF) Tralhead Module

But I want to understand the purpose of enabling this checkbox as currently it breaks the link between existing VF page.

If I enable this checkbox, do I need to modify the code in existing VF page?

If yes, what codes needs to be added.

How Can I see existing VF page by enabling this checkbox?

Functionality which is not working in VF Page:

function uncheckCheckboxButton(){
 var aId='{!Opportunity.Id}';
    if( (typeof sforce != 'undefined') && sforce && (!!sforce.one) ) {
            // Salesforce1 navigation
                assignTabName();
           sforce.one.navigateToSObject(aId);
        }
        else {
            // Set the window's parent URL using a Visualforce expression
            assignTabName();
           window.top.location.href = '/{!Opportunity.Id}';
         //  window.location.reload();
         //  window.parent.location = document.referrer;
        }
    }

    <apex:actionFunction action="{!checkboxFalse}" name="assignTabName" reRender="none">
<apex:param name="oppName" value="{!Opportunity.Id}"  /> 
</apex:actionFunction>

In this VF page,I am unchecking the checkbox value to false.so whenever I click on VF page button,it uncheck the checkbox.

When I enable CSRF protection for this VF page,in else part of VF page,it does not perform an operation in 1st attempt.I need to refresh it again in order to see the correct result.
Do I need to add action function in else part?

How can I pass Opportunity Id here?

Also in IF part is there any modification needed as this is For SF1?

Best Answer

From the Spring '17 Release Notes on Allow CSRF Protection on GET Requests to Visualforce Pages (Critical Update):

When this option is enabled for a Visualforce page, you can’t access the page by entering its URL—/apex/PageName. Also, plain links to that page using tags don’t work. If you try to access a Visualforce page with CSRF protection enabled, the page doesn’t load and you get an error.

Plain links from a page with CSRF checks work, but links to the page do not. For example, if your page has the name PageName, the link Link doesn’t work. Instead, use the URLFOR() formula function, the $Page global variable, or the apex:outputLink component.

<apex:outputLink value="/apex/PageName">Link using apex:outputlink</apex:outputlink>
<a href="{!$Page.PageName}">Link using $Page</a>
<a href="{!URLFOR($Page.PageName)}">Link using URLFOR()</a>

CSRF [sic] checks on GET requests also affect how Visualforce pages are referenced from Apex controllers. Methods that return the URL of CSRF-protected [sic] pages for navigation don’t work:

public String getPage() {
    return '/apex/PageName'; 
}

Instead, use methods that return a reference to the Visualforce page instead of the URL directly.

public class customController {
    public PageReference getPage() {
        return new PageReference('/apex/PageName'); 
    }
    public PageReference getPage1() {
        return Page.PageName; 
    }
}

See also: Visualforce PageReference - Name Constructor vs. Factory

Related Topic