Browser - Same Origin Policy

User agents (such as browser) commonly apply same-origin restrictions to network requests.

The browser code enforces the Same-Origin Policy.

These restrictions prevent a client-side Web application running from one origin from obtaining data retrieved from another origin, and also limit unsafe HTTP requests that can be automatically launched toward destinations that differ from the running application's origin.

Although some validation and authorization can be performed by the server, it is the browser's responsibility to honor the restrictions

Websites cannot access each other’s data inside the browser thanks to the Same-Origin Policy

Two origins are said to be the same origin if the algorithm returns true.

To remove this policy, see Browser - Cross Origin Resource Sharing (CORS)

with Site Isolation (ie process isolation), it’s much more difficult for a malicious website to use speculative side-channel attacks like Spectre to steal data from other sites.