The same-origin policy was designed to prevent an attacker from accessing data on a third-party site. This policy does not prevent requests from being
sent, it only prevents an attack from reading the data returned from the third-party server. Since CSRF attacks are the result of the requests sent, the same-origin policy does not protect against CSRF attacks.

Great paper on Cross-Site Request Forgery: