diff --git a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
index 09364c2..ceeeb6c 100644
--- a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
+++ b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
@@ -48,21 +48,23 @@ public function appliesTo() {
    * {@inheritdoc}
    */
   public function access(Route $route, Request $request) {
-    // If this is not the controller request ALLOW now.
+    // If this is the controller request, check CSRF access as normal.
     if ($request->attributes->get('_controller_request')) {
-      $conjunction = $route->getOption('_access_mode') ?: 'ANY';
-      // Return ALLOW if all access checks are needed.
-      if ($conjunction == 'ALL') {
-        return static::ALLOW;
-      }
-      // Return DENY otherwise, as another access checker should grant access
-      // for the route.
-      else {
-        return static::DENY;
-      }
+      return $this->csrfToken->validate($request->query->get('csrf'), $route->getRequirement('_csrf')) ? static::ALLOW : static::KILL;
     }
 
-    return $this->csrfToken->validate($request->query->get('csrf'), $route->getRequirement('_csrf')) ? static::ALLOW : static::KILL;
+    // Otherwise, this could be another requested access check that we don't
+    // want to check CSRF tokens on.
+    $conjunction = $route->getOption('_access_mode') ?: 'ANY';
+    // Return ALLOW if all access checks are needed.
+    if ($conjunction == 'ALL') {
+      return static::ALLOW;
+    }
+    // Return DENY otherwise, as another access checker should grant access
+    // for the route.
+    else {
+      return static::DENY;
+    }
   }
 
 }