Why not add something to protect the web security?
XSS protection ?
CSRF protection?
We could do those things in the browser and not in every website in existance…
One word: Compatibility. There are already protections against XSS and CSRF build in, and adding stricter rules would cause sites to break. Do you want to maintain a list of all sites that need cross origin GET requests to function?