Samuli, I check parameter ~XSRFCHECK=0 on our Solution Maneger server, which more modern than ERP and in correspond note 1458171 include XSRF protection.
But it not work also.
When I copy and paste url
and press "Enter", I see logon windows, also as withot params sap-login=user&sap-password=pass:
http://f.q.dn:8080/sap/bc/gui/sap/its/test/mobile/itsmobile00?sap-client=100