The same origin policy restricts any load that would provide JS with data from a different origin. Note that I did not say it blocks all loads: this is specifically restricting JS access to content from other services. CORS was introduced so that it was possible to selectively provide JS with access to such data - previously you had to use JSONP which has bad security properties for the client and server. CORS is what lets JS on your site make an XHR to a remote API provider. Nothing stops you from simply creating an arbitrary element with an arbitrary src attribute (if relevant of course), and triggering a network load. It’s just that most such elements don’t convert the server response into data that can be subsequently accessed in JS, the ones that do (img, etc) can only be read via APIs that themselves enforce same origin restrictions (eg I can create an image element and point it to a remote server, then draw that image into a canvas. At that point the canvas element’s various read APIs will stop working as the canvas knows that it’s been tainted).
If you were to make non-same origin loads fail in the general case you would break everything.
The same origin policy restricts any load that would provide JS with data from a different origin. Note that I did not say it blocks all loads: this is specifically restricting JS access to content from other services. CORS was introduced so that it was possible to selectively provide JS with access to such data - previously you had to use JSONP which has bad security properties for the client and server. CORS is what lets JS on your site make an XHR to a remote API provider. Nothing stops you from simply creating an arbitrary element with an arbitrary src attribute (if relevant of course), and triggering a network load. It’s just that most such elements don’t convert the server response into data that can be subsequently accessed in JS, the ones that do (img, etc) can only be read via APIs that themselves enforce same origin restrictions (eg I can create an image element and point it to a remote server, then draw that image into a canvas. At that point the canvas element’s various read APIs will stop working as the canvas knows that it’s been tainted).
If you were to make non-same origin loads fail in the general case you would break everything.