diff --git a/core/js/core.json b/core/js/core.json
index ee1a0e0d65ddaddbc7b20dda726433a4391e2982..4f338f87748809535e1d59a75fb8ac0c6adc4695 100644
--- a/core/js/core.json
+++ b/core/js/core.json
@@ -13,7 +13,6 @@
 		"sharedialogresharerinfoview.js",
 		"sharedialogshareelistview.js",
 		"public/publicpage.js",
-		"oc-requesttoken.js",
 		"setupchecks.js",
 		"../search/js/search.js",
 		"mimetype.js",
diff --git a/core/js/dist/login.js b/core/js/dist/login.js
index 7c585e11b3da09ce26a0390c340fbe4f1962466e..34b02711c2e70cb8ace7fdec225f11b1441e1668 100644
Binary files a/core/js/dist/login.js and b/core/js/dist/login.js differ
diff --git a/core/js/dist/login.js.map b/core/js/dist/login.js.map
index a59c1d5e7668674cdf9a9c4af09027894aa17ac1..8c14ae9d5bba112a58beebdedfe4b6115301ea0b 100644
Binary files a/core/js/dist/login.js.map and b/core/js/dist/login.js.map differ
diff --git a/core/js/dist/main.js b/core/js/dist/main.js
index a224f42d33c1bd2afd73d1b148028e027b1bfa18..b71fa7fcdff879c871913f91f2ab77dea66abb2c 100644
Binary files a/core/js/dist/main.js and b/core/js/dist/main.js differ
diff --git a/core/js/dist/main.js.map b/core/js/dist/main.js.map
index 0438f7647decdb3b4d8648e7ebc404483dad0f67..04bf5079184e6e9f975877b60c7c21d0d489b896 100644
Binary files a/core/js/dist/main.js.map and b/core/js/dist/main.js.map differ
diff --git a/core/js/js.js b/core/js/js.js
index f00b7bc2420cfda1bcfd02aacf26c97488979d5d..4a7f035db6122b8f7f0685d72db82d7f71b78f45 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -1,5 +1,3 @@
-var oc_requesttoken = document.getElementsByTagName('head')[0].getAttribute('data-requesttoken');
-
 /** @namespace OCP */
 var OCP = Object.assign({}, window.OCP);
 
@@ -16,7 +14,6 @@ Object.assign(window.OC, {
 	_capabilities: window.oc_capabilities || null,
 
 	theme: window.oc_defaults || {},
-	requestToken: oc_requesttoken,
 
 	/**
 	 * Check if a user file is allowed to be handled.
diff --git a/core/js/merged-template-prepend.json b/core/js/merged-template-prepend.json
index ddc98b448ad9dbf84952c16879ad504319225a0f..c7b3501d6c9bc77cfb26f6d1a593116580574b37 100644
--- a/core/js/merged-template-prepend.json
+++ b/core/js/merged-template-prepend.json
@@ -1,6 +1,5 @@
 [
   "js.js",
-  "oc-requesttoken.js",
   "mimetype.js",
   "mimetypelist.js",
   "select2-toggleselect.js"
diff --git a/core/js/oc-requesttoken.js b/core/js/oc-requesttoken.js
deleted file mode 100644
index d5dcecdb5aba8f62ab1df21bcd7640f9beb68c45..0000000000000000000000000000000000000000
--- a/core/js/oc-requesttoken.js
+++ /dev/null
@@ -1,6 +0,0 @@
-$(document).on('ajaxSend',function(elm, xhr, settings) {
-	if(settings.crossDomain === false) {
-		xhr.setRequestHeader('requesttoken', oc_requesttoken);
-		xhr.setRequestHeader('OCS-APIREQUEST', 'true');
-	}
-});
diff --git a/core/src/OC/eventsource.js b/core/src/OC/eventsource.js
index 4851aa3816d8a3ed17724e735233ad12cf80de04..ec70e6650148cbdb42dd33f76512ec161c9d3c37 100644
--- a/core/src/OC/eventsource.js
+++ b/core/src/OC/eventsource.js
@@ -32,6 +32,8 @@
 
 import $ from 'jquery'
 
+import {getToken} from './requesttoken'
+
 /**
  * Create a new event source
  * @param {string} src
@@ -51,7 +53,7 @@ const OCEventSource = function (src, data) {
 			dataStr += name + '=' + encodeURIComponent(data[name]) + '&';
 		}
 	}
-	dataStr += 'requesttoken=' + encodeURIComponent(oc_requesttoken);
+	dataStr += 'requesttoken=' + encodeURIComponent(getToken());
 	if (!this.useFallBack && typeof EventSource !== 'undefined') {
 		joinChar = '&';
 		if (src.indexOf('?') === -1) {
diff --git a/core/src/OC/index.js b/core/src/OC/index.js
index 81cf002e47ffe1761e953936eeb55ab1a61e0f08..6a9fea3c7b7c96e3bea2c09465cd368cfa2e2cd0 100644
--- a/core/src/OC/index.js
+++ b/core/src/OC/index.js
@@ -42,6 +42,10 @@ import {currentUser, getCurrentUser} from './currentuser'
 import Dialogs from './dialogs'
 import EventSource from './eventsource'
 import {get, set} from './get_set'
+import {
+	getToken as getRequestToken,
+	subscribe as subscribeToRequestTokenChange,
+} from './requesttoken'
 import {
 	hideMenus,
 	registerMenu,
@@ -135,6 +139,7 @@ export default {
 	filePath,
 	redirect,
 	reload,
+	requestToken: getRequestToken(),
 	linkTo,
 	linkToOCS,
 	linkToRemote,
@@ -150,3 +155,6 @@ export default {
 	 */
 	webroot,
 }
+
+// Keep the request token prop in sync
+subscribeToRequestTokenChange(token => OC.requestToken = token)
diff --git a/core/src/OC/requesttoken.js b/core/src/OC/requesttoken.js
new file mode 100644
index 0000000000000000000000000000000000000000..3c4a185f1c0c777358072993197d0739be4c60a7
--- /dev/null
+++ b/core/src/OC/requesttoken.js
@@ -0,0 +1,43 @@
+/*
+ * @copyright 2019 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @author 2019 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+let token = document.getElementsByTagName('head')[0].getAttribute('data-requesttoken');
+const observers = []
+
+/**
+ * @return {string}
+ */
+export const getToken = () => token
+
+/**
+ * @param {Function} observer
+ * @return {number}
+ */
+export const subscribe = observer => observers.push(observer)
+
+/**
+ * @param {String} newToken
+ */
+export const setToken = newToken => {
+	token = newToken
+
+	observers.forEach(o => o(token))
+}
diff --git a/core/src/globals.js b/core/src/globals.js
index 65ad3148ec6f681eaa3efa9afc4c14a8e2761b53..48955f11d3a5e3926425ecabf7d7ae4eed4ff745 100644
--- a/core/src/globals.js
+++ b/core/src/globals.js
@@ -42,7 +42,7 @@ const deprecate = (func, funcName) => {
 	return newFunc
 }
 
-const setDeprecatedProp = (global, val, msg) => {
+const setDeprecatedProp = (global, cb, msg) => {
 	if (window[global] !== undefined) {
 		delete window[global]
 	}
@@ -53,7 +53,8 @@ const setDeprecatedProp = (global, val, msg) => {
 			} else {
 				warnIfNotTesting(`${global} is deprecated`)
 			}
-			return val
+
+			return cb()
 		}
 	})
 }
@@ -93,6 +94,7 @@ import OCP from './OCP/index'
 import OCA from './OCA/index'
 import escapeHTML from './Util/escapeHTML'
 import formatDate from './Util/format-date'
+import {getToken as getRequestToken} from './OC/requesttoken'
 import getURLParameter from './Util/get-url-parameter'
 import humanFileSize from './Util/human-file-size'
 import relative_modified_date from './Util/relative-modified-date'
@@ -115,14 +117,15 @@ window['md5'] = md5
 window['moment'] = moment
 
 window['OC'] = OC
-setDeprecatedProp('initCore', initCore, 'this is an internal function')
-setDeprecatedProp('oc_appswebroots', OC.appswebroots, 'use OC.appswebroots instead')
-setDeprecatedProp('oc_config', OC.config, 'use OC.config instead')
-setDeprecatedProp('oc_current_user', OC.getCurrentUser().uid, 'use OC.getCurrentUser().uid instead')
-setDeprecatedProp('oc_debug', OC.debug, 'use OC.debug instead')
-setDeprecatedProp('oc_isadmin', OC.isUserAdmin(), 'use OC.isUserAdmin() instead')
-setDeprecatedProp('oc_webroot', OC.webroot, 'use OC.getRootPath() instead')
-setDeprecatedProp('OCDialogs', OC.dialogs, 'use OC.dialogs instead')
+setDeprecatedProp('initCore', () => initCore, 'this is an internal function')
+setDeprecatedProp('oc_appswebroots', ()  => OC.appswebroots, 'use OC.appswebroots instead')
+setDeprecatedProp('oc_config', () => OC.config, 'use OC.config instead')
+setDeprecatedProp('oc_current_user', () => OC.getCurrentUser().uid, 'use OC.getCurrentUser().uid instead')
+setDeprecatedProp('oc_debug', () => OC.debug, 'use OC.debug instead')
+setDeprecatedProp('oc_isadmin', OC.isUserAdmin, 'use OC.isUserAdmin() instead')
+setDeprecatedProp('oc_requesttoken', () => getRequestToken(), 'use OC.requestToken instead')
+setDeprecatedProp('oc_webroot', () => OC.webroot, 'use OC.getRootPath() instead')
+setDeprecatedProp('OCDialogs', () => OC.dialogs, 'use OC.dialogs instead')
 window['OCP'] = OCP
 window['OCA'] = OCA
 window['escapeHTML'] = deprecate(escapeHTML, 'escapeHTML')
diff --git a/core/src/jquery/index.js b/core/src/jquery/index.js
index 43b379fd2e505b886da7c453967db25a5adc36fe..e2efc76bdf10cdf5e3e33b405e419617df2c8a71 100644
--- a/core/src/jquery/index.js
+++ b/core/src/jquery/index.js
@@ -28,6 +28,7 @@ import './filterattr'
 import './ocdialog'
 import './octemplate'
 import './placeholder'
+import './requesttoken'
 import './selectrange'
 import './showpassword'
 import './tipsy'
diff --git a/core/src/jquery/requesttoken.js b/core/src/jquery/requesttoken.js
new file mode 100644
index 0000000000000000000000000000000000000000..a8fb024d04a174c291baa0a13ffbd4f9182ef634
--- /dev/null
+++ b/core/src/jquery/requesttoken.js
@@ -0,0 +1,31 @@
+/*
+ * @copyright 2019 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @author 2019 Christoph Wurst <christoph@winzerhof-wurst.at>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+import $ from 'jquery'
+
+import {getToken} from '../OC/requesttoken'
+
+$(document).on('ajaxSend',function(elm, xhr, settings) {
+	if(settings.crossDomain === false) {
+		xhr.setRequestHeader('requesttoken', getToken());
+		xhr.setRequestHeader('OCS-APIREQUEST', 'true');
+	}
+});
diff --git a/core/src/session-heartbeat.js b/core/src/session-heartbeat.js
index 5d1f7177cf7197d5e3f659f7e8d9ef3151f2038d..9a4981e4bb7063c79c917f6da356b7033000be53 100644
--- a/core/src/session-heartbeat.js
+++ b/core/src/session-heartbeat.js
@@ -23,6 +23,7 @@ import $ from 'jquery'
 
 import {generateUrl} from './OC/routing'
 import OC from './OC'
+import {setToken as setRequestToken} from './OC/requesttoken'
 
 /**
  * session heartbeat (defaults to enabled)
@@ -65,10 +66,7 @@ export const initSessionHeartBeat = () => {
 
 	setInterval(() => {
 		$.ajax(generateUrl('/csrftoken'))
-			.then(resp => {
-				oc_requesttoken = resp.token
-				OC.requestToken = resp.token
-			})
+			.then(resp => setRequestToken(resp.token))
 			.fail(e => {
 				console.error('session heartbeat failed', e)
 			})
diff --git a/settings/js/settings/personalInfo.js b/settings/js/settings/personalInfo.js
index 53f2c82cb73d9645c4802886f5275211ecb8d221..454374b303d96fbc0f490293281af45134a77542 100644
--- a/settings/js/settings/personalInfo.js
+++ b/settings/js/settings/personalInfo.js
@@ -77,7 +77,7 @@ function showAvatarCropper () {
 	$cropper.children('.inner-container').prepend($cropperImage);
 
 	$cropperImage.attr('src',
-		OC.generateUrl('/avatar/tmp') + '?requesttoken=' + encodeURIComponent(oc_requesttoken) + '#' + Math.floor(Math.random() * 1000));
+		OC.generateUrl('/avatar/tmp') + '?requesttoken=' + encodeURIComponent(OC.requestToken) + '#' + Math.floor(Math.random() * 1000));
 
 	$cropperImage.load(function () {
 		var img = $cropperImage.get()[0];