diff --git a/core/lib/Drupal/Core/Form/FormState.php b/core/lib/Drupal/Core/Form/FormState.php
index 9d651cd..7ee5f04 100644
--- a/core/lib/Drupal/Core/Form/FormState.php
+++ b/core/lib/Drupal/Core/Form/FormState.php
@@ -8,6 +8,7 @@
 namespace Drupal\Core\Form;
 
 use Drupal\Component\Utility\NestedArray;
+use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Core\Url;
 use Symfony\Component\HttpFoundation\Response;
 
@@ -1016,6 +1017,10 @@ public function setRedirect($route_name, array $route_parameters = array(), arra
    * {@inheritdoc}
    */
   public function setRedirectUrl(Url $url) {
+    if (!$this->checkNamedRoute($url->getRouteName(), $url->getRouteParameters())) {
+      // @todo Use a more specific exception class.
+      throw new \Exception(SafeMarkup::format('Access denied for "@route_name"', ['@route_name' => $url->getRouteName()]));
+    }
     $this->redirect = $url;
     return $this;
   }
@@ -1245,6 +1250,13 @@ public function cleanValues() {
   }
 
   /**
+   * Wraps AccessManager::checkNamedRoute().
+   */
+  protected function checkNamedRoute($route_name, array $parameters = []) {
+    return \Drupal::accessManager()->checkNamedRoute($route_name, $parameters);
+  }
+
+  /**
    * Wraps drupal_set_message().
    *
    * @return array|null