Update to Drupal 8.0.0 beta 14. For more information, see https://drupal.org/node/2544542

core/lib/Drupal/Core/Access/AccessResult.php

@@ -25,6 +25,9 @@ use Drupal\Core\Session\AccountInterface;
  *
  * When using ::orIf() and ::andIf(), cacheability metadata will be merged
  * accordingly as well.
+ *
+ * @todo Use RefinableCacheableDependencyInterface and the corresponding trait in
+ *   https://www.drupal.org/node/2526326.
  */
 abstract class AccessResult implements AccessResultInterface, CacheableDependencyInterface {
 
@@ -316,10 +319,12 @@ abstract class AccessResult implements AccessResultInterface, CacheableDependenc
    *   The entity whose cache tag to set on the access result.
    *
    * @return $this
+   *
+   * @deprecated in Drupal 8.0.x-dev, will be removed before Drupal 9.0.0. Use
+   *   ::addCacheableDependency() instead.
    */
   public function cacheUntilEntityChanges(EntityInterface $entity) {
-    $this->addCacheTags($entity->getCacheTags());
-    return $this;
+    return $this->addCacheableDependency($entity);
   }
 
   /**
@@ -329,9 +334,33 @@ abstract class AccessResult implements AccessResultInterface, CacheableDependenc
    *   The configuration object whose cache tag to set on the access result.
    *
    * @return $this
+   *
+   * @deprecated in Drupal 8.0.x-dev, will be removed before Drupal 9.0.0. Use
+   *   ::addCacheableDependency() instead.
    */
   public function cacheUntilConfigurationChanges(ConfigBase $configuration) {
-    $this->addCacheTags($configuration->getCacheTags());
+    return $this->addCacheableDependency($configuration);
+  }
+
+  /**
+   * Adds a dependency on an object: merges its cacheability metadata.
+   *
+   * @param \Drupal\Core\Cache\CacheableDependencyInterface|object $other_object
+   *   The dependency. If the object implements CacheableDependencyInterface,
+   *   then its cacheability metadata will be used. Otherwise, the passed in
+   *   object must be assumed to be uncacheable, so max-age 0 is set.
+   *
+   * @return $this
+   */
+  public function addCacheableDependency($other_object) {
+    if ($other_object instanceof CacheableDependencyInterface) {
+      $this->contexts = Cache::mergeContexts($this->contexts, $other_object->getCacheContexts());
+      $this->tags = Cache::mergeTags($this->tags, $other_object->getCacheTags());
+      $this->maxAge = Cache::mergeMaxAges($this->maxAge, $other_object->getCacheMaxAge());
+    }
+    else {
+      $this->maxAge = 0;
+    }
     return $this;
   }
 

core/lib/Drupal/Core/Access/RouteProcessorCsrf.php

@@ -7,7 +7,7 @@
 
 namespace Drupal\Core\Access;
 
-use Drupal\Core\Cache\CacheableMetadata;
+use Drupal\Core\Render\BubbleableMetadata;
 use Drupal\Core\RouteProcessor\OutboundRouteProcessorInterface;
 use Symfony\Component\Routing\Route;
 
@@ -36,7 +36,7 @@ class RouteProcessorCsrf implements OutboundRouteProcessorInterface {
   /**
    * {@inheritdoc}
    */
-  public function processOutbound($route_name, Route $route, array &$parameters, CacheableMetadata $cacheable_metadata = NULL) {
+  public function processOutbound($route_name, Route $route, array &$parameters, BubbleableMetadata $bubbleable_metadata = NULL) {
     if ($route->hasRequirement('_csrf_token')) {
       $path = ltrim($route->getPath(), '/');
       // Replace the path parameters with values from the parameters array.
@@ -45,13 +45,44 @@ class RouteProcessorCsrf implements OutboundRouteProcessorInterface {
       }
       // Adding this to the parameters means it will get merged into the query
       // string when the route is compiled.
-      $parameters['token'] = $this->csrfToken->get($path);
-      if ($cacheable_metadata) {
-        // Tokens are per user and per session, so not cacheable.
-        // @todo Improve in https://www.drupal.org/node/2351015.
-        $cacheable_metadata->setCacheMaxAge(0);
+      if (!$bubbleable_metadata) {
+        $parameters['token'] = $this->csrfToken->get($path);
+      }
+      else {
+        // Generate a placeholder and a render array to replace it.
+        $placeholder = hash('sha1', $path);
+        $placeholder_render_array = [
+          '#lazy_builder' => ['route_processor_csrf:renderPlaceholderCsrfToken', [$path]],
+        ];
+
+        // Instead of setting an actual CSRF token as the query string, we set
+        // the placeholder, which will be replaced at the very last moment. This
+        // ensures links with CSRF tokens don't break cacheability.
+        $parameters['token'] = $placeholder;
+        $bubbleable_metadata->addAttachments(['placeholders' => [$placeholder => $placeholder_render_array]]);
       }
     }
   }
 
+  /**
+   * #lazy_builder callback; gets a CSRF token for the given path.
+   *
+   * @param string $path
+   *   The path to get a CSRF token for.
+   *
+   * @return array
+   *   A renderable array representing the CSRF token.
+   */
+  public function renderPlaceholderCsrfToken($path) {
+    return [
+      '#markup' => $this->csrfToken->get($path),
+      // Tokens are per session.
+      '#cache' => [
+        'contexts' => [
+          'session',
+        ],
+      ],
+    ];
+  }
+
 }