diff --git a/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php b/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php
index a7bb43fc6962..eee6dad0f1b9 100644
--- a/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php
+++ b/core/lib/Drupal/Core/Template/TwigSandboxPolicy.php
@@ -57,6 +57,7 @@ class TwigSandboxPolicy implements \Twig_Sandbox_SecurityPolicyInterface {
       'bundle',
       'get',
       '__toString',
+      'toString',
     ]);
     $this->whitelisted_methods = array_flip($whitelisted_methods);
 
diff --git a/core/tests/Drupal/Tests/Core/Template/TwigSandboxTest.php b/core/tests/Drupal/Tests/Core/Template/TwigSandboxTest.php
index d403db39ed6d..7a3dd3ae46d2 100644
--- a/core/tests/Drupal/Tests/Core/Template/TwigSandboxTest.php
+++ b/core/tests/Drupal/Tests/Core/Template/TwigSandboxTest.php
@@ -140,6 +140,20 @@ class TwigSandboxTest extends UnitTestCase {
     $this->assertEquals($result, 'testing', 'Sandbox policy allows get() to be called.');
   }
 
+  /**
+   * Tests that safe methods inside Url objects can be called.
+   */
+  public function testUrlSafeMethods() {
+    $url = $this->getMockBuilder('Drupal\Core\Url')
+      ->disableOriginalConstructor()
+      ->getMock();
+    $url->expects($this->once())
+      ->method('toString')
+      ->willReturn('http://kittens.cat/are/cute');
+    $result = $this->twig->render('{{ url.toString }}', ['url' => $url]);
+    $this->assertEquals($result, 'http://kittens.cat/are/cute', 'Sandbox policy allows toString() to be called.');
+  }
+
 }
 
 class TestAttribute extends Attribute {}