Dubious purpose of the same origin policy

Question

As I read, the same origin policy is about preventing scripts with origin in (evil) domain A to make requests to (good) domain B - in other words cross-site request forgery.

Answer 1

CORS doesn't prevent anything that was allowed before CORS was invented. It only specifies a way for sites to allow requests that were previously always denied.

One site could always cause a user agent to make requests to other sites, since the beginning of the Web. Just think hotlinked images.

Typically, it's not correct for a site to authorize an action just based on a cookie, because, as you point out, any site can make requests using other sites' cookies.

A site will usually require that the request contain something other than the cookie. It might, for example, look for a CSRF token that must be read from a previous response. As site B, you'd need use CORS to obtain this token.