Same-origin policy prevents arbitrary access from the site you're browsing to other sites. JS can - among other things - fetch resources from other domains. This is commonly used for images, stats, ads, for loading other JS modules from CDNs. It's also an inherently unsafe operation, because what if someone injects malicious code into catvideos.
Table of contents
Same-origin policyLocal experiment to observe the SOP in actionCORSA sample Go server with CORS supportPreflight requestsAdding preflight support to our Go serverCookies and CORSNext stepsCodeSort: