HTTP was stateless. Cookies faked statefulness, and the fake immediately leaked: any page could piggyback on another site's authenticated session. So Netscape Navigator 2 introduced the origin. Scheme, host, port. The W3C's 2011 security model acknowledged the concept was "born" from this need, not designed as a security primitive. RFC 6454 describes what followed as convergence, not architecture.
The origin locked things down. Too well. Legitimate cross-domain calls broke, so CORS spent a decade carefully re-permitting what SOP had blocked. One identity fiction required a security fiction to contain it. Web agents now navigate both fictions daily, hitting walls built for a threat model that never imagined them.