The web's security model is rooted in the same-origin policy
Code from https://mybank.com should only have access to https://mybank.com's data, and https://evil.example.com should certainly never be allowed access
Each origin is kept isolated from the rest of the web, giving developers a safe sandbox in which to build and play
In practice, attackers have found clever ways to subvert the system
Cross-site scripting (XSS)
Bypasses the same origin policy by tricking a site into delivering malicious code along with the intended content
Browsers trust all of the code that shows up on a page as being legitimately part of that page's security origin
