- You may get cases where the customer has bookmarked or embedded internal links such as Coaching Advisor or Writing Assistant. The error message reads “You are not authorized to access the functionality you have requested
Also impacts hardcoded links you might have in your Welcome Message on the homepage.
- This is related to CSRF filter which is enabled in Provisioning > Company Settings
- CSRF means Cross-Site Request Forgery, and it was added as an enhancement in B1311 (PLT-27457). It is added to prevent un-trusted user from browsing the SF application.
- The Quick Links does not support internal link bookmarks when CSRF filter is enabled in provisioning, and this is by design. When CSRF filter is enabled, the application requires a special token (_s.crb token for the current live session).
- To protect the customers with CSRF, the engineering will make the CSRF permanently enabled (B1405), and we won’t be able to disable it from Provisioning.
Before disabling the CSRF filter in Provisioning, please notify the engineering security team of the company name, ID and datacenter at the alias below. My understanding is that they are keeping track of these companies so when they can include them in the patch.
Until the engineering finds a solution, workaround or permanently enable the CSRF, you can disable it in provisioning > company settings.
- Go to Provisioning
- Locate the instance
- Open Company Settings
- Scroll down to “Disable CSRF Filter (Please email eng-security before turning off the feature.)”, select the checkbox and
- Click on "Save Feature"
KBA , sf platform , LOD-SF-PLT , Foundational Capabilities & Tools , Problem