One word: Compatibility. There are already protections against XSS and CSRF build in, and adding stricter rules would cause sites to break. Do you want to maintain a list of all sites that need cross origin GET requests to function?