diff --git a/core/lib/Drupal/Core/Form/FormBuilder.php b/core/lib/Drupal/Core/Form/FormBuilder.php
index d374bb2..15dc08b 100644
--- a/core/lib/Drupal/Core/Form/FormBuilder.php
+++ b/core/lib/Drupal/Core/Form/FormBuilder.php
@@ -689,15 +689,19 @@ public function prepareForm($form_id, &$form, FormStateInterface &$form_state) {
           // submitted form value appears literally, regardless of custom #tree
           // and #parents being set elsewhere.
           '#parents' => array('form_token'),
+          // Instead of setting an actual CSRF token, we've set the placeholder
+          // in form_token's #default_value and #placeholder. These will be
+          // replaced at the very last moment. This ensures forms with a CSRF
+          // token don't have poor cacheability.
+          '#attached' => [
+            'placeholders' => [
+              $placeholder => [
+                '#lazy_builder' => ['form_builder:renderFormTokenPlaceholder', [$placeholder]]
+              ]
+            ]
+          ],
         );
 
-        // Instead of setting an actual CSRF token, we've set the placeholder
-        // in form_token's #default_value and #placeholder. These will be
-        // replaced at the very last moment. This ensures forms with a CSRF
-        // token don't have poor cacheability.
-        $form['#attached']['placeholders'][$placeholder] = [
-          '#lazy_builder' => ['form_builder:renderFormTokenPlaceholder', [$placeholder]]
-        ];
       }
     }