Is same origin policy for web only useful because of cookies?
No, the Same Origin Policy also protects against:
- Cross domain manipulation in the DOM (e.g. a page manipulating another page from another origin loaded in an IFrame).
- The response from AJAX requests being read when the origins don't match.
- Images loaded from other origins from being read into an HTML5 canvas.
So my question is: would we really need this policy if the browser would not send all the http auth details and cookies with this request automatically?
Yes we do need it for the above reasons.
It could work like that, but not now because of backwards compatibility reasons. It would break too many things suddenly changing a standard that most of the world's web is based upon.
In any case, what would happen in the case that the whole window is redirected? e.g. if there's as sensitive function that could be exploited via CSRF using the GET method, the attacker could simply redirect the whole page to https://example.com/delete_users
in order to execute the attack.
How would the browser know not to send cookies in that situation? It appears the only thing you would achieve is to make the rules more complicated, and complexity is the enemy of security.