The requirement only existed for one of the APIs, not both, and the other API has a spec forbidding it. I suggest that you read the linked issue and stop spreading clearly a inaccurate story from people with agenda. No problem adding more security charlatans to our ban lists.