diff --git a/resources/static/shared/user.js b/resources/static/shared/user.js
index 5dfdf673db4538343f20eb4fe41aaf178f658da6..61eff6f478e3c166e66a39c0efec193f9842b9fe 100644
--- a/resources/static/shared/user.js
+++ b/resources/static/shared/user.js
@@ -1051,6 +1051,14 @@ BrowserID.User = (function() {
      * @param {function} onFailure - called on XHR failure.
      */
     getSilentAssertion: function(siteSpecifiedEmail, onComplete, onFailure) {
+      // XXX: why do we need to check authentication status here explicitly.
+      //      why can't we fail later?  the problem with doing this is that
+      //      knowing correct present authentication status requires that we
+      //      talk to the server, because you can be logged in or logged out
+      //      in many different contexts (dialog, manage page, cookies expire).
+      //      so if we rely on localstorage only and check authentication status
+      //      only when we know a network request will be required, we very well
+      //      might have fewer race conditions and do fewer network requests.
       User.checkAuthentication(function(authenticated) {
         if (authenticated) {
           var loggedInEmail = storage.getLoggedIn(origin);