CSRF protection has been strengthened for Plone 5.
Its main purpose is to prevent persistent changes in your Plone from foreign (potentially malicious) sites. Its main principle is to add an authentication token in requests indirectly coming from Plone itself and verify this token in requests which have changed something persistently. The error you see indicates that 1. the request has changed something persistently and 2. that the authentication token verification failed.
Plone's CSRF protection allows various ways to control it. There is an environment variable to disable it completely, one can register special view names for which CSRF protection is disabled, a request can indicate (during its processing) that it does not want CSRF protection. Read the plone.protect documentation for details.
That you see those CSRF issues likely means that your Plone contains add ons which (unexpectedly) make persistent changes without using the necessary controls for the CSRF protection. You can either disable CSRF protection globally or try to identify the affected add ons and get updated versions for them.
Thank you for detail info on CSRF Protection. I understand the importance of security which is one of the reason I've been using Plone for more than 10 years.
I've experimented 'step by step' upgrade migration with my phone4 site. I'd like to share the results.
Start with 4.3.12 to 4.3.18, then upgrade to 5.0.4, to 5.0.5 and so on. My site could upgrade to 5.1.2 without problem and edit & add any content. But upgrade to 5.1.2 to 5.1.4 cause CSRF issue. I guess there are big difference between 5.1.2 and 5.1.4.
I also read the document and it said "To disable all automatic CSRF protection, set the environment variable PLONE_CSRF_DISABLED value to true."
But where is "PLONE_CSRF_DISABLED value"? I couldn't find this value in Configuration Registry.
"Environment variable"s do not live inside a Plone portal; they are global to the whole Plone/Zope process. You set them either on the operating system level or via the Zope configuration file (typically named zope.conf). The latter is usually generated by buildout and its environment section (responsible for the environment variable definitions) is generated from the environment-vars definion in the buildout configuration.