diff --git a/core/modules/image/image.module b/core/modules/image/image.module
index 2cc6f6bba28ed4c074a6ce42548150cc5ac51076..051912a9e065421a22373e2af28e301dc9e02281 100644
--- a/core/modules/image/image.module
+++ b/core/modules/image/image.module
@@ -730,7 +730,15 @@ function image_style_url($style_name, $path) {
   // The token query is added even if the
   // 'image.settings:allow_insecure_derivatives' configuration is TRUE, so that
   // the emitted links remain valid if it is changed back to the default FALSE.
-  $token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, file_stream_wrapper_uri_normalize($path)));
+  // However, sites which need to prevent the token query from being emitted at
+  // all can additionally set the 'image.settings:suppress_itok_output'
+  // configuration to TRUE to achieve that (if both are set, the security token
+  // will neither be emitted in the image derivative URL nor checked for in
+  // image_style_deliver()).
+  $token_query = array();
+  if (!config('image.settings')->get('suppress_itok_output')) {
+    $token_query = array(IMAGE_DERIVATIVE_TOKEN => image_style_path_token($style_name, file_stream_wrapper_uri_normalize($path)));
+  }
 
   // If not using clean URLs, the image derivative callback is only available
   // with the script path. If the file does not exist, use url() to ensure
@@ -742,8 +750,12 @@ function image_style_url($style_name, $path) {
   }
 
   $file_url = file_create_url($uri);
-  // Append the query string with the token.
-  return $file_url . (strpos($file_url, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($token_query);
+  // Append the query string with the token, if necessary.
+  if ($token_query) {
+    $file_url .= (strpos($file_url, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($token_query);
+  }
+
+  return $file_url;
 }
 
 /**
diff --git a/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php b/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php
index ae550ae67e8d898c47be3c47a7fbe60d84313418..7b1b2edeb0b536c5acf481b2f53d01a26ba75915 100644
--- a/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php
+++ b/core/modules/image/lib/Drupal/image/Tests/ImageStylesPathAndUrlTest.php
@@ -200,6 +200,30 @@ function _testImageStyleUrlAndPath($scheme, $clean_url = TRUE, $extra_slash = FA
       $this->assertResponse(200, 'Existing image was accessible at the URL wih an invalid token.');
     }
 
+    // Allow insecure image derivatives to be created for the remainder of this
+    // test.
+    config('image.settings')->set('allow_insecure_derivatives', TRUE)->save();
+
+    // Create another working copy of the file.
+    $files = $this->drupalGetTestFiles('image');
+    $file = array_shift($files);
+    $image_info = image_get_info($file->uri);
+    $original_uri = file_unmanaged_copy($file->uri, $scheme . '://', FILE_EXISTS_RENAME);
+    // Let the image_module_test module know about this file, so it can claim
+    // ownership in hook_file_download().
+    state()->set('image.test_file_download', $original_uri);
+
+    // Suppress the security token in the URL, then get the URL of a file that
+    // has not been created and try to create it. Check that the security token
+    // is not present in the URL but that the image is still accessible.
+    config('image.settings')->set('suppress_itok_output', TRUE)->save();
+    $generated_uri = image_style_path($this->style_name, $original_uri);
+    $this->assertFalse(file_exists($generated_uri), 'Generated file does not exist.');
+    $generate_url = image_style_url($this->style_name, $original_uri);
+    $this->assertIdentical(strpos($generate_url, IMAGE_DERIVATIVE_TOKEN . '='), FALSE, 'The security token does not appear in the image style URL.');
+    $this->drupalGet($generate_url);
+    $this->assertResponse(200, 'Image was accessible at the URL with a missing token.');
+
     $GLOBALS['script_path'] = $script_path_original;
   }
 }