It's a basic security measure implemented by browsers. The theory is that "you trust yourself." If you serve assets to a client, then those assets can trust each other not to be malicious. Stuff from other sources is untrusted.
What "self" means here is a combination of protocol (e.g. http vs. https), the domain (down to the sub-domain level), and port. If resources arrive from some other combination of those things, they are untrusted.