From https://en.wikipedia.org/wiki/Same-origin_policy:

a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

Without same origin policy, JS code in a malicious web page could exploit user’s logged-in session in other websites, and access on user’s behalf behind the scene. Therefore, cross domain Ajax (GET and POST) is generally disallowed.

Reference