diff --git a/core/avatar/avatarcontroller.php b/core/avatar/avatarcontroller.php
index a0c9ebbd78..945e022600 100644
--- a/core/avatar/avatarcontroller.php
+++ b/core/avatar/avatarcontroller.php
@@ -91,6 +91,7 @@ class AvatarController extends Controller {
 
 	/**
 	 * @NoAdminRequired
+	 * @NoCSRFRequired
 	 *
 	 * @param string $userId
 	 * @param int $size
diff --git a/core/js/jquery.avatar.js b/core/js/jquery.avatar.js
index 74acaac792..b0d1ca7d88 100644
--- a/core/js/jquery.avatar.js
+++ b/core/js/jquery.avatar.js
@@ -76,8 +76,8 @@
 		var $div = this;
 
 		var url = OC.generateUrl(
-			'/avatar/{user}/{size}?requesttoken={requesttoken}',
-			{user: user, size: size * window.devicePixelRatio, requesttoken: oc_requesttoken});
+			'/avatar/{user}/{size}',
+			{user: user, size: size * window.devicePixelRatio});
 
 		$.get(url, function(result) {
 			if (typeof(result) === 'object') {
diff --git a/settings/js/personal.js b/settings/js/personal.js
index 9e4dd54090..33746d22ac 100644
--- a/settings/js/personal.js
+++ b/settings/js/personal.js
@@ -321,7 +321,7 @@ $(document).ready(function () {
 	var url = OC.generateUrl(
 		'/avatar/{user}/{size}',
 		{user: OC.currentUser, size: 1}
-	) + '?requesttoken=' + encodeURIComponent(oc_requesttoken);
+	);
 	$.get(url, function (result) {
 		if (typeof(result) === 'object') {
 			$('#removeavatar').hide();