Here is my simple explanation(why) for the same origin policy.
– A web page in the clients browser, should not be allowed to call/access/load JS(or any other resources) from other domains
Why:
if my web page from infoq.com executes a call to another (unknown) domain, say xxx.com, then that request/response might execute JS code which is not part of the infoq.com web page, and that code could be compromised(it can not be trusted)
So with Same Origin Policy restriction – you make sure that you execute code from the site you intend to visit
https://www.netsparker.com/whitepaper-same-origin-policy/
Cross-Site Request Forgery Explained
in this video I have found out about – Burp Suite Scanner | PortSwigger
which has a nice HTTP – proxy/inspector
__
https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html
Into Java 
That is a very good tip particularly to those fresh to
the blogosphere. Simple but very accurate information… Many thanks for sharing this one.
A must read post!
LikeLike