diff --git a/spec/index.bs b/spec/index.bs
index 7d3f2bb0..01c3d12e 100644
--- a/spec/index.bs
+++ b/spec/index.bs
@@ -2047,8 +2047,6 @@ the <a http-header>Origin</a> header value is represented by the
 [=IDP=]-specific, the [=user agent=] cannot perform this check.
 </div>
 
-Note: An [=IDP=] should validate the nonce, if present, to prevent CSRF-style attacks.
-
 The response body must be a JSON object that can be [=converted to an IDL value|converted=] to an {{IdentityProviderToken}} without an exception.
 
 Every {{IdentityProviderToken}} is expected to have members with the following semantics: