diff --git a/core/modules/system/tests/modules/csrf_test/csrf_test.routing.yml b/core/modules/system/tests/modules/csrf_test/csrf_test.routing.yml
index 70b07fc..a5a5191 100644
--- a/core/modules/system/tests/modules/csrf_test/csrf_test.routing.yml
+++ b/core/modules/system/tests/modules/csrf_test/csrf_test.routing.yml
@@ -17,3 +17,11 @@ csrf_test.deprecated.protected:
   requirements:
     _access_rest_csrf: 'TRUE'
     _method: 'POST'
+# @todo This route can be removed in 8.3.
+# @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
+csrf_test.deprecated.csrftoken:
+  path: '/deprecated/session/token'
+  defaults:
+    _controller: '\Drupal\csrf_test\Controller\DeprecatedCsrfTokenController::csrfToken'
+  requirements:
+    _access: 'TRUE'
diff --git a/core/modules/system/tests/modules/csrf_test/src/Controller/DeprecatedCsrfTokenController.php b/core/modules/system/tests/modules/csrf_test/src/Controller/DeprecatedCsrfTokenController.php
new file mode 100644
index 0000000..7155e7a
--- /dev/null
+++ b/core/modules/system/tests/modules/csrf_test/src/Controller/DeprecatedCsrfTokenController.php
@@ -0,0 +1,57 @@
+<?php
+
+namespace Drupal\csrf_test\Controller;
+
+use Drupal\Core\Access\CsrfTokenGenerator;
+use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * Returns responses for Deprecated CSRF token routes.
+ *
+ * This controller tests using the deprecated CSRF token key 'rest'.
+ *
+ * @todo This class can be removed in 8.3.
+ *
+ * @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
+ */
+class DeprecatedCsrfTokenController implements ContainerInjectionInterface {
+
+  /**
+   * The CSRF token generator.
+   *
+   * @var \Drupal\Core\Access\CsrfTokenGenerator
+   */
+  protected $tokenGenerator;
+
+  /**
+   * Constructs a new CsrfTokenController object.
+   *
+   * @param \Drupal\Core\Access\CsrfTokenGenerator $token_generator
+   *   The CSRF token generator.
+   */
+  public function __construct(CsrfTokenGenerator $token_generator) {
+    $this->tokenGenerator = $token_generator;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function create(ContainerInterface $container) {
+    return new static(
+      $container->get('csrf_token')
+    );
+  }
+
+  /**
+   * Returns a CSRF using the deprecated 'rest' value protecting session token.
+   *
+   * @return \Symfony\Component\HttpFoundation\Response
+   *   The response object.
+   */
+  public function csrfToken() {
+    return new Response($this->tokenGenerator->get('rest'), 200, ['Content-Type' => 'text/plain']);
+  }
+
+}
diff --git a/core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php b/core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php
index 5cea4a4..c6d7b35 100644
--- a/core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php
+++ b/core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php
@@ -28,48 +28,56 @@ class CsrfRequestHeaderTest extends BrowserTestBase {
    */
   public function testRouteAccess() {
     $client = \Drupal::httpClient();
-    // Check both test routes.
-    $route_names = ['csrf_test.protected', 'csrf_test.deprecated.protected'];
-    foreach ($route_names as $route_name) {
-      $user = $this->drupalCreateUser();
-      $this->drupalLogin($user);
+    $csrf_token_paths = ['deprecated/session/token', 'session/token'];
+    // Test using the both the current path and a test path that returns
+    // a token using the deprecated 'rest' value.
+    // Checking /deprecated/session/token can be removed in 8.3.
+    // @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
+    foreach ($csrf_token_paths as $csrf_token_path) {
+      // Check both test routes.
+      $route_names = ['csrf_test.protected', 'csrf_test.deprecated.protected'];
+      foreach ($route_names as $route_name) {
+        $user = $this->drupalCreateUser();
+        $this->drupalLogin($user);
 
-      $csrf_token = $this->drupalGet('session/token');
-      $url = Url::fromRoute($route_name)
-        ->setAbsolute(TRUE)
-        ->toString();
-      $domain = parse_url($url, PHP_URL_HOST);
+        $csrf_token = $this->drupalGet($csrf_token_path);
+        $url = Url::fromRoute($route_name)
+          ->setAbsolute(TRUE)
+          ->toString();
+        $domain = parse_url($url, PHP_URL_HOST);
 
-      $session_id = $this->getSession()->getCookie($this->getSessionName());
-      /** @var \GuzzleHttp\Cookie\CookieJar $cookies */
-      $cookies = CookieJar::fromArray([$this->getSessionName() => $session_id], $domain);
-      $post_options = [
-        'headers' => ['Accept' => 'text/plain'],
-        'http_errors' => FALSE,
-      ];
+        $session_id = $this->getSession()->getCookie($this->getSessionName());
+        /** @var \GuzzleHttp\Cookie\CookieJar $cookies */
+        $cookies = CookieJar::fromArray([$this->getSessionName() => $session_id], $domain);
+        $post_options = [
+          'headers' => ['Accept' => 'text/plain'],
+          'http_errors' => FALSE,
+        ];
 
-      // Test that access is allowed for anonymous user with no token in header.
-      $result = $client->post($url, $post_options);
-      $this->assertEquals(200, $result->getStatusCode());
+        // Test that access is allowed for anonymous user with no token in header.
+        $result = $client->post($url, $post_options);
+        $this->assertEquals(200, $result->getStatusCode());
 
-      // Add cookies to POST options so that all other requests are for the
-      // authenticated user.
-      $post_options['cookies'] = $cookies;
+        // Add cookies to POST options so that all other requests are for the
+        // authenticated user.
+        $post_options['cookies'] = $cookies;
 
-      // Test that access is denied with no token in header.
-      $result = $client->post($url, $post_options);
-      $this->assertEquals(403, $result->getStatusCode());
+        // Test that access is denied with no token in header.
+        $result = $client->post($url, $post_options);
+        $this->assertEquals(403, $result->getStatusCode());
 
-      // Test that access is allowed with correct token in header.
-      $post_options['headers']['X-CSRF-Token'] = $csrf_token;
-      $result = $client->post($url, $post_options);
-      $this->assertEquals(200, $result->getStatusCode());
+        // Test that access is allowed with correct token in header.
+        $post_options['headers']['X-CSRF-Token'] = $csrf_token;
+        $result = $client->post($url, $post_options);
+        $this->assertEquals(200, $result->getStatusCode());
 
-      // Test that access is denied with incorrect token in header.
-      $post_options['headers']['X-CSRF-Token'] = 'this-is-not-the-token-you-are-looking-for';
-      $result = $client->post($url, $post_options);
-      $this->assertEquals(403, $result->getStatusCode());
+        // Test that access is denied with incorrect token in header.
+        $post_options['headers']['X-CSRF-Token'] = 'this-is-not-the-token-you-are-looking-for';
+        $result = $client->post($url, $post_options);
+        $this->assertEquals(403, $result->getStatusCode());
+      }
     }
+
   }
 
 }