Document same-origin policy more centrally

[annevk]

@ricea asked in #144 that the analysis @jakearchibald made in #144 (comment) about range requests versus the same-origin policy really deserves to be detailed somewhere more officially.

That made me think that perhaps we should have a section detailing the same-origin policy and what it means for networking.

The specification already has various bits through that talk about this, e.g., https://fetch.spec.whatwg.org/#cors-protocol-exceptions, but it might make sense to have something more general.

(There's also some other bits we do for security that are not strictly about the same-origin policy, e.g., https://fetch.spec.whatwg.org/#atomic-http-redirect-handling. I'm not sure how to fit those in. Perhaps leaving them standalone is fine.)

[jakearchibald]

I've tried to use notes in specs the same way I'd use comments in code – to make the intent clear.

However, I have to perform linguistic acrobatics to avoid "must" etc.

I'd love to be able to write notes like "The intent here is to ensure the browser never…" so other editors don't accidentally break it.

[annevk]

That example note seems appropriate, though I'd have to review it in context. I think we definitely want to have notes/example in context as well. However, I also think having a general section at some point that outlines the overall model of thinking about the problem space can be helpful.