Comment # 4 on bug 969849 from Egbert Eich

(In reply to Dr. Werner Fink from comment #3)
> Ahhh ... the X server *requires* a magic cookie to allow the remote
> connection.  This seems to be new and should be documented.
> 
> After using keygen to create a MIT-MAGIC-COOKIE-1 it works at least for the
> xterm and also the Xdmx.

You can use all sorts of access control: host based, auth based or si (server
interpreted). The only thing is that access control is required for all but
local connections. This has been for a while already. In the code I was able to
trace this back since XFree86.
To get back the 'old' behaviour, you'd need to specify '-ac' along with
'-listen tcp' or run 'xhost +' from a local connection.