1) Summarize same-origin policy.

2) What is the interface through which two different tabs with
different origins can talk to each other, in a way permitted by
same-origin policy isolation?

3) In many cases, the CSRF attack involves two different origins, the
origin of a compromised web server and the origin of the target web server. So why
isn't the CSRF attack prevented by the same-origin policy?