diff -u b/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php b/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php
--- b/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php
+++ b/core/lib/Drupal/Core/Access/RouteProcessorCsrf.php
@@ -32,7 +32,7 @@
    * {@inheritdoc}
    */
   public function processOutbound($route_name, Route $route, array &$parameters, BubbleableMetadata $bubbleable_metadata = NULL) {
-    if ($route->hasRequirement('_csrf_token') || $route->hasRequirement('_csrf_token_or_confirm')) {
+    if ($route->hasRequirement('_csrf_token') || $route->hasOption('_csrf_token_or_confirm')) {
       $path = ltrim($route->getPath(), '/');
       // Replace the path parameters with values from the parameters array.
       foreach ($parameters as $param => $value) {
diff -u b/core/modules/user/user.routing.yml b/core/modules/user/user.routing.yml
--- b/core/modules/user/user.routing.yml
+++ b/core/modules/user/user.routing.yml
@@ -12,6 +12,7 @@
     _controller: '\Drupal\user\Controller\UserController::logout'
   requirements:
     _user_is_logged_in: 'TRUE'
+  options:
     _csrf_token_or_confirm: 'TRUE'
 
 user.admin_index: