I get this error within one of my html pages on a Action= event. Just going to a public site like http://www.usatoday.com
CSRF means Cross Site Request Forgery. Are you are getting this message in the context of something to do with QuickBase? I doubt anything is wrong with your QuickBase application but a CSRF means someone has infected a web page your are visiting and is trying to exploit a session you are logged in to with another service. From your message I can't tell if QuickBase has any involvement in what you are experiencing.
It used to work before, a simple navigation to another site from a html "page" within quickbase using the <form> action="https://www.usatoday.com" event. All of a sudden it's not working. I thought it maybe had something to do with tokens, but they are turned off, and tokens are only used for internal QB navigation or other QB API URL calls.
That message means your browser is attempting to visit a page in a site without sending a referrer header. In other words one of your browser windows is attempting to forge a link to another service and your browser has blocked it. So you are visiting an infected page or have an infected system but the system blocked the request. Again I don't know what this has to do with your QuickBase usage. For more info: