Remove note on IdP to validate nonce (w3c-fedid#582) (w3c-fedid#583)

Co-authored-by: Kai Lehmann <[email protected]>

spec/index.bs

@@ -2045,8 +2045,6 @@ the <a http-header>Origin</a> header value is represented by the
 [=IDP=]-specific, the [=user agent=] cannot perform this check.
 </div>
 
-Note: An [=IDP=] should validate the nonce, if present, to prevent CSRF-style attacks.
-
 The response body must be a JSON object that can be [=converted to an IDL value|converted=] to an {{IdentityProviderToken}} without an exception.
 
 Every {{IdentityProviderToken}} is expected to have members with the following semantics: