diff --git a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
index ceeeb6c..f9b08e9 100644
--- a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
+++ b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
@@ -50,7 +50,7 @@ public function appliesTo() {
   public function access(Route $route, Request $request) {
     // If this is the controller request, check CSRF access as normal.
     if ($request->attributes->get('_controller_request')) {
-      return $this->csrfToken->validate($request->query->get('csrf'), $route->getRequirement('_csrf')) ? static::ALLOW : static::KILL;
+      return $this->csrfToken->validate($request->query->get('token'), $route->getRequirement('_csrf')) ? static::ALLOW : static::KILL;
     }
 
     // Otherwise, this could be another requested access check that we don't
diff --git a/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php b/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php
index 49cef65..e9633a7 100644
--- a/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php
+++ b/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php
@@ -41,7 +41,7 @@ public function processOutbound(Route $route, array &$parameters) {
     if ($route->hasRequirement('_csrf')) {
       // Adding this to the parameters means it will get merged into the query
       // string when the route is compiled.
-      $parameters['csrf'] = $this->csrfToken->get($route->getRequirement('_csrf'));
+      $parameters['token'] = $this->csrfToken->get($route->getRequirement('_csrf'));
     }
   }
 
diff --git a/core/modules/shortcut/lib/Drupal/shortcut/Controller/ShortcutSetController.php b/core/modules/shortcut/lib/Drupal/shortcut/Controller/ShortcutSetController.php
index 7123ae5..d2f38eb 100644
--- a/core/modules/shortcut/lib/Drupal/shortcut/Controller/ShortcutSetController.php
+++ b/core/modules/shortcut/lib/Drupal/shortcut/Controller/ShortcutSetController.php
@@ -33,9 +33,8 @@ class ShortcutSetController extends ControllerBase {
    * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
    */
   public function addShortcutLinkInline(ShortcutSetInterface $shortcut_set, Request $request) {
-    $token = $request->query->get('token');
     $link = $request->query->get('link');
-    if (isset($token) && drupal_valid_token($token, 'shortcut-add-link') && shortcut_valid_link($link)) {
+    if (shortcut_valid_link($link)) {
       $item = menu_get_item($link);
       $title = ($item && $item['title']) ? $item['title'] : $link;
       $link = array(
diff --git a/core/modules/shortcut/shortcut.module b/core/modules/shortcut/shortcut.module
index 5432140..66a56fa 100644
--- a/core/modules/shortcut/shortcut.module
+++ b/core/modules/shortcut/shortcut.module
@@ -461,14 +461,15 @@ function shortcut_preprocess_page(&$variables) {
     $link_mode = isset($mlid) ? "remove" : "add";
 
     if ($link_mode == "add") {
-      $query['token'] = drupal_get_token('shortcut-add-link');
       $link_text = shortcut_set_switch_access() ? t('Add to %shortcut_set shortcuts', array('%shortcut_set' => $shortcut_set->label())) : t('Add to shortcuts');
-      $link_path = 'admin/config/user-interface/shortcut/manage/' . $shortcut_set->id() . '/add-link-inline';
+      $route_name = 'shortcut.link_add_inline';
+      $route_parameters = array('shortcut_set' => $shortcut_set->id());
     }
     else {
       $query['mlid'] = $mlid;
       $link_text = shortcut_set_switch_access() ? t('Remove from %shortcut_set shortcuts', array('%shortcut_set' => $shortcut_set->label())) : t('Remove from shortcuts');
-      $link_path = 'admin/config/user-interface/shortcut/link/' . $mlid . '/delete';
+      $route_name = 'shortcut.link_delete';
+      $route_parameters = array('menu_link' => $mlid);
     }
 
     if (theme_get_setting('shortcut_module_link')) {
@@ -481,7 +482,8 @@ function shortcut_preprocess_page(&$variables) {
         '#prefix' => '<div class="add-or-remove-shortcuts ' . $link_mode . '-shortcut">',
         '#type' => 'link',
         '#title' => '<span class="icon">'. t('Add or remove shortcut') .'</span><span class="text">' . $link_text . '</span>',
-        '#href' => $link_path,
+        '#route_name' => $route_name,
+        '#route_parameters' => $route_parameters,
         '#options' => array('query' => $query, 'html' => TRUE),
         '#suffix' => '</div>',
       );
diff --git a/core/modules/shortcut/shortcut.routing.yml b/core/modules/shortcut/shortcut.routing.yml
index 15549fd..de070fd 100644
--- a/core/modules/shortcut/shortcut.routing.yml
+++ b/core/modules/shortcut/shortcut.routing.yml
@@ -40,6 +40,7 @@ shortcut.link_add_inline:
     _controller: 'Drupal\shortcut\Controller\ShortcutSetController::addShortcutLinkInline'
   requirements:
     _entity_access: 'shortcut_set.update'
+    _csrf: 'shortcut-add-link'
 
 shortcut.set_customize:
   path: '/admin/config/user-interface/shortcut/manage/{shortcut_set}'
diff --git a/core/tests/Drupal/Tests/Core/Access/CsrfAccessCheckTest.php b/core/tests/Drupal/Tests/Core/Access/CsrfAccessCheckTest.php
index bfe40a3..2a12387 100644
--- a/core/tests/Drupal/Tests/Core/Access/CsrfAccessCheckTest.php
+++ b/core/tests/Drupal/Tests/Core/Access/CsrfAccessCheckTest.php
@@ -71,7 +71,7 @@ public function testAccessTokenPass() {
 
     $route = new Route('', array(), array('_csrf' => 'test'));
     $request = new Request(array(
-      'csrf' => 'test_query',
+      'token' => 'test_query',
     ));
     // Set the _controller_request flag so tokens are validated.
     $request->attributes->set('_controller_request', TRUE);
@@ -90,7 +90,7 @@ public function testAccessTokenFail() {
 
     $route = new Route('', array(), array('_csrf' => 'test'));
     $request = new Request(array(
-      'csrf' => 'test_query',
+      'token' => 'test_query',
     ));
     // Set the _controller_request flag so tokens are validated.
     $request->attributes->set('_controller_request', TRUE);
@@ -109,7 +109,7 @@ public function testAccessTokenMissAny() {
 
     $route = new Route('', array(), array('_csrf' => 'test'));
     $request = new Request(array(
-      'csrf' => 'test_query',
+      'token' => 'test_query',
     ));
 
     $this->assertSame(AccessInterface::DENY, $this->accessCheck->access($route, $request));
@@ -126,7 +126,7 @@ public function testAccessTokenMissAll() {
 
     $route = new Route('', array(), array('_csrf' => 'test'), array('_access_mode' => 'ALL'));
     $request = new Request(array(
-      'csrf' => 'test_query',
+      'token' => 'test_query',
     ));
 
     $this->assertSame(AccessInterface::ALLOW, $this->accessCheck->access($route, $request));
diff --git a/core/tests/Drupal/Tests/Core/Access/RouteProcessorCsrfTest.php b/core/tests/Drupal/Tests/Core/Access/RouteProcessorCsrfTest.php
index 681df29..b902fef 100644
--- a/core/tests/Drupal/Tests/Core/Access/RouteProcessorCsrfTest.php
+++ b/core/tests/Drupal/Tests/Core/Access/RouteProcessorCsrfTest.php
@@ -80,8 +80,8 @@ public function testProcessOutbound() {
 
     $this->processor->processOutbound($route, $parameters);
     // 'csrf' should be added to the parameters array.
-    $this->assertArrayHasKey('csrf', $parameters);
-    $this->assertSame($parameters['csrf'], 'test_token');
+    $this->assertArrayHasKey('token', $parameters);
+    $this->assertSame($parameters['token'], 'test_token');
   }
 
 }