[smagin]

well it does make sense to assume that by default different origins belong to different people, and some of those people don't have to behave friendly to each other.

There is little server can do with that, because of the request-based model. The state that persists between requests lives in cookies, and it's browser job not to expose those cookies all around. Turning off single origin policy would be a terrible idea. For one, it makes CSRF work by not allowing cross-origin reads.