Same Origin Policy

From https://en.wikipedia.org/wiki/Same-origin_policy:

a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

Without same origin policy, JS code in a malicious web page could exploit user’s logged-in session in other websites, and access on user’s behalf behind the scene. Therefore, cross domain Ajax (GET and POST) is generally disallowed.

§Reference

• https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests