The browser itself and its installed plug-ins are not subject to same origin policy. You are thinking of the restrictions on the original site. If this were not the case then the browser woud be unable to download content from any site but the one in the browser's URL.
I came here to say that this article is dynamite. I had not followed this story before, but it is at least as important as Snowden / NSA. However, the article loses its force from the middle and the call-out to US liberal politics towards the end is just pathetic. It is as likely that those who need to take action on the data industry are from the right, libertarians, or simply not aligned with parochial US political divisions.
Edit: re-reading the thread, the SOP objection is right. A plug-in is required.
"Malware that can hijack the users' cookies" is a little different to "which is possible through DOM traversal" though. I wanted to address the point in case some got the impression just using the DOM via JS would allow it.
