diff --git a/core/modules/system/src/Tests/Theme/ThemeTokenTest.php b/core/modules/system/src/Tests/Theme/ThemeTokenTest.php
new file mode 100644
index 000000000000..3c04aa22bc3d
--- /dev/null
+++ b/core/modules/system/src/Tests/Theme/ThemeTokenTest.php
@@ -0,0 +1,60 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\system\Tests\Theme\ThemeTokenTest.
+ */
+
+namespace Drupal\system\Tests\Theme;
+
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests the generation of 'theme_token' key in Drupal settings.
+ *
+ * @group Theme
+ */
+class ThemeTokenTest extends WebTestBase {
+
+  /**
+   * We want to visit the 'admin/structure/block' page.
+   *
+   * @var array
+   */
+  static public $modules = ['block'];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp() {
+    parent::setUp();
+    $account = $this->drupalCreateUser(['administer blocks', 'view the administration theme']);
+    $this->drupalLogin($account);
+  }
+
+  /**
+   * Tests if the 'theme_token' key of 'ajaxPageState' is computed.
+   */
+  public function testThemeToken() {
+    // Visit the block administrative page with default theme. We use that page
+    // because 'misc/ajax.js' is loaded there and we can test the token
+    // generation.
+    $this->drupalGet('admin/structure/block');
+    $settings = $this->getDrupalSettings();
+    $this->assertNull($settings['ajaxPageState']['theme_token']);
+
+    // Install 'seven' and configure it as administrative theme.
+    $this->container->get('theme_installer')->install(['seven']);
+    $this->config('system.theme')->set('admin', 'seven')->save();
+
+    // Revisit the page. This time the page is displayed using the 'seven' theme
+    // and that is different from the default theme ('classy').
+    $this->drupalGet('admin/structure/block');
+    $settings = $this->getDrupalSettings();
+    $this->assertNotNull($settings['ajaxPageState']['theme_token']);
+    // The CSRF token is a 43 length string.
+    $this->assertTrue(is_string($settings['ajaxPageState']['theme_token']));
+    $this->assertEqual(strlen($settings['ajaxPageState']['theme_token']), 43);
+  }
+
+}
diff --git a/core/modules/system/system.module b/core/modules/system/system.module
index 16ddba6ae324..027ba8bd2047 100644
--- a/core/modules/system/system.module
+++ b/core/modules/system/system.module
@@ -688,8 +688,14 @@ function system_js_settings_alter(&$settings, AttachedAssetsInterface $assets) {
   $library_dependency_resolver = \Drupal::service('library.dependency_resolver');
   if (isset($settings['ajaxPageState']) || in_array('core/drupal.ajax', $library_dependency_resolver->getLibrariesWithDependencies($assets->getAlreadyLoadedLibraries()))) {
     if (!defined('MAINTENANCE_MODE')) {
-      $settings['ajaxPageState']['theme_token'] = \Drupal::csrfToken()
-        ->get(\Drupal::theme()->getActiveTheme()->getName());
+      // The theme token is only validated when the theme requested is not the
+      // default, so don't generate it unless necessary.
+      // @see \Drupal\Core\Theme\AjaxBasePageNegotiator::determineActiveTheme()
+      $active_theme_key = \Drupal::theme()->getActiveTheme()->getName();
+      if ($active_theme_key !== \Drupal::service('theme_handler')->getDefault()) {
+        $settings['ajaxPageState']['theme_token'] = \Drupal::csrfToken()
+          ->get($active_theme_key);
+      }
     }
   }
 }