diff --git a/core/modules/user/src/Controller/MailChangeController.php b/core/modules/user/src/Controller/MailChangeController.php
index 7f339e82b7..91dc4ff940 100644
--- a/core/modules/user/src/Controller/MailChangeController.php
+++ b/core/modules/user/src/Controller/MailChangeController.php
@@ -2,20 +2,49 @@
 
 namespace Drupal\user\Controller;
 
+use Drupal\Component\Datetime\TimeInterface;
 use Drupal\Component\Utility\Crypt;
 use Drupal\Core\Access\AccessResult;
 use Drupal\Core\Controller\ControllerBase;
 use Drupal\Core\Url;
 use Drupal\user\UserInterface;
+use Symfony\Component\DependencyInjection\ContainerInterface;
 
 /**
  * Provides a controller Email change routes.
  */
 class MailChangeController extends ControllerBase {
 
+  /**
+   * The date-time service.
+   *
+   * @var \Drupal\Component\Datetime\TimeInterface
+   */
+  protected $dateTime;
+
+  /**
+   * Builds a new controller.
+   *
+   * @param \Drupal\Component\Datetime\TimeInterface $date_time
+   *   The date-time service.
+   */
+  public function __construct(TimeInterface $date_time) {
+    $this->dateTime = $date_time;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function create(ContainerInterface $container) {
+    return new static($container->get('datetime.time'));
+  }
+
   /**
    * Returns the user mail change page.
    *
+   * In order to never disclose a mail change link via a referrer header this
+   * controller must always return a redirect response.
+   *
    * @param \Drupal\user\UserInterface $user
    *   The user account requesting Email change.
    * @param string $new_mail
@@ -32,7 +61,7 @@ public function page(UserInterface $user, $new_mail, $timestamp, $hash) {
     $timeout = $this->config('user.settings')->get('mail_change_timeout');
     /** @var \Drupal\Core\Session\AccountProxyInterface $current_user */
     $current_user = $this->currentUser();
-    $request_time = \Drupal::time()->getRequestTime();
+    $request_time = $this->dateTime->getRequestTime();
     $messenger = $this->messenger();
 
     // Other user is authenticated.
@@ -85,7 +114,7 @@ public function access(UserInterface $user) {
   }
 
   /**
-   * Generates a unique url for a one time email change confirmation.
+   * Generates a unique URL for a one time mail change confirmation.
    *
    * @param \Drupal\user\UserInterface $account
    *   An object containing the user account.
diff --git a/core/modules/user/user.routing.yml b/core/modules/user/user.routing.yml
index 4a8d2b01b7..cf6e99c06c 100644
--- a/core/modules/user/user.routing.yml
+++ b/core/modules/user/user.routing.yml
@@ -220,5 +220,4 @@ user.mail_change:
     user: \d+
     timestamp: \d+
   options:
-    _maintenance_access: TRUE
     no_cache: TRUE