CIVI-SA-2016-17: Manage CSRF overrides for external profile forms

CiviCRM allows administrators to define custom profile-forms in which constituents enter their names, addresses, custom data, etc. CiviCRM is designed to embed all its forms within a CMS (such as Drupal, Joomla, or WordPress), but some administrators also need to embed profile-forms in an external site or custom HTML document. This has sometimes been accomplished with an "HTML Snippet" technique -- the bare, literal HTML code for a profile-form is manually copied and pasted to an external web site.

Unfortunately, this technique is incompatible with the "qfKey" security feature which prevents cross-site request forgery. Profile-forms had the "qfKey" security feature disabled. This constitutes a functionality-vs-security trade-off that some have found acceptable, but it is not appropriate or necessary for all organizations.

Beginning with 4.7.11+ and 4.6.21+, this compromise is no longer necessary -- the "qfKey" enforcement is now available but optional. Specifically:

• New CiviCRM installations will enable "qfKey" security for profiles by default. This is a more secure default that works for the majority of organizations.
• Existing CiviCRM installations will disable "qfKey" security for profiles by default. This is a more compatible default that ensures that existing customizations continue to work.
• When administrators review CiviCRM's self-diagnosis for potential security issues, it will display a warning if you have disabled "qfKey".

In 4.7.11+/4.6.21+, you can toggle this option by:

• Navigating to "Administer => System Settings => Misc"
• (OR) Modifying the setting "remote_profile_submissions"