CSRF safe Custom button linked to Apex method

Question

I'm looking for a technique to execute Apex code from a custom button added to the Opportunity object in a way that protects the user against CSRF.

The current approach being used comes from the question - Custom Button or Link to a Visualforce page with a custom controller. Essentially:

1. There is an Opportunity Custom Button with the Content Source set to "Visualforce Page".
2. The Content for this button is set to a Visualforce page that uses Opportunity for the standardController, has an extension apex class entered and an action for a method in that class
3. The action method returns a PageReference to another custom Visualforce page, including adding a parameter with the Opportunity Id.
4. This second custom Visualforce page does the bulk of the actual work, including making web service callouts and performing DML operations before redirecting the user back to the Opportunity.

The issue with this approach is that the second custom Visualforce page is retrieved via an HTTP GET, pulls parameters from the query string, and performs update/insert DML operations with no CSRF protection. This is being picked up by the Force.com Security Source Code Scanner.

I should add that this apex code is deployed as both a managed and a unmanaged package, hence the extra work to redirect to the target Visualforce Page using a PageReference. This ensures the namespace prefix is added if required.

How can I avoid the CSRF issue?

I don't want to add a form to the second visualforce page with a button that they must press to start the process (and hence picking up the ViewStateCSRF protection in the postback). From the users perspective they have already pressed the button to perform the operation.

I've asked this question before on the developer force forum and didn't come up with a solution - Cross-Site Request Forgery (CSRF/XSRF) safe Custom Button action

Perhaps I should be trying to move the code out of the controller for the second visual force page and using the extension to the stand controller instead?

I could switch to a Javascript callback to an Apex Web Service (as suggested in Call a apex method from a custom button and How invoke APEX method from custom button), but it seems a bit messy and I'm not sure if I'd just be opening up another range of security issues with the web service.

Answer 1

The following approaches can be followed:

1. Creating an intermediate form in a Visualforce page which will trigger the sensitive Apex Code. Therefore, picking up the built-in CSRF protection.
2. Overriding the Opportunity Detail page: This new Visualforce page would incorporate a comparable form post back to option 1 to invoke the sensitive APEX code and get automatic CSRF protection.

Want to become a Salesforce expert, join Salesforce Online Training now!