Remove note on IdP to validate nonce (#582) (#583)

obfuscoder · Kai Lehmann · web-flow · commit 10794f7327d3 · 2024-05-15T13:25:31.000-07:00
Co-authored-by: Kai Lehmann &lt;kai.lehmann@1und1.de&gt;
diff --git a/spec/index.bs b/spec/index.bs
@@ -2045,8 +2045,6 @@ the <a http-header>Origin</a> header value is represented by the
 [=IDP=]-specific, the [=user agent=] cannot perform this check.
 </div>
 
-Note: An [=IDP=] should validate the nonce, if present, to prevent CSRF-style attacks.
-
 The response body must be a JSON object that can be [=converted to an IDL value|converted=] to an {{IdentityProviderToken}} without an exception.
 
 Every {{IdentityProviderToken}} is expected to have members with the following semantics:
