diff --git a/core/lib/Drupal/Core/Form/FormBuilder.php b/core/lib/Drupal/Core/Form/FormBuilder.php
index aa41ac0..5747f7b 100644
--- a/core/lib/Drupal/Core/Form/FormBuilder.php
+++ b/core/lib/Drupal/Core/Form/FormBuilder.php
@@ -603,7 +603,7 @@ public function processForm($form_id, &$form, FormStateInterface &$form_state) {
   }
 
   /**
-   * #post_render_cache callback; render form csrf token.
+   * #lazy_builder callback; renders form CSRF token.
    *
    * @param string $path
    * @return array
@@ -615,7 +615,6 @@ public function renderFormTokenPlaceholder($path) {
         'contexts' => [
           'session',
         ],
-        'max-age' => 0
       ],
     ];
   }
@@ -674,6 +673,7 @@ public function prepareForm($form_id, &$form, FormStateInterface &$form_state) {
       }
       // Otherwise, generate a public token based on the form id.
       else {
+        // Generates a placeholder based on the form id.
         $placeholder = crc32($form_id);
         $form['#token'] = $placeholder;
 
@@ -688,6 +688,10 @@ public function prepareForm($form_id, &$form, FormStateInterface &$form_state) {
           '#parents' => array('form_token'),
         );
 
+        // Instead of setting an actual CSRF token, we've set the placeholder
+        // in form_token's #default_value and #placeholder. These will be
+        // replaced at the very last moment. This ensures forms with a CSRF
+        // token don't have poor cacheability.
         $form['#attached']['placeholders'][$placeholder] = [
           '#lazy_builder' => ['form_builder:renderFormTokenPlaceholder', [$placeholder]]
         ];