Browsers work hard to make sure that evil.com can’t make requests to other-website.com. But evil.com can request other-website.com from its own server. So what’s the big deal?

Here are 2 reasons it’s important to prevent Javascript code from making arbitrary requests from your browser:

Reason 1: cookies

Browsers often send your cookies with HTTP requests. You don’t want evil.com to be able to make requests using your login cookies. They’d be logged in as you!

evil.com Javascript: Send a GET request to mail.google.com with their current login cookies.

browser: I’ll do it, but you can’t see the response unless the server says it’s okay.

(the browser will actually do it!)

Reason 2 : network access

You might be on a private network (for example your company’s corporate network) that evil.com doesn’t have access to, but your computer does.

evil.com Javascript: POST request to secrets.corp.company.com/send_money please.

browser: No! Same origin policy! I’m not even going to make that request without checking first.