this restriction is flagged as "non-critical".
what this really means to X.509 is "you're not required to reject this just because you don't understand it."
the OID 1.3.6.1.5.5.7.3.11 for this restriction is usually translated to humans as "ServerAuth" (Server Authentication). Don't know where the "web" comes in here, possibly from browser programmers.
RFC 5280 4.2.1.12 says:
id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
-- TLS WWW server authentication
-- Key usage bits that may be consistent: digitalSignature,
-- keyEncipherment or keyAgreement
So the name says one thing and the comments say something slightly else. Can't imagine how anybody could misunderstand that.