With the popularity of cloud computing and mobile computing, browser applications show the characteristics of diversification and scale, and the browser security issues are increasingly prominent. To ensure the security of Web application resources, the browser's same-origin policy is proposed. Since then, the introduction of the same-origin policy in RFC6454, W3C and HTML5 standards has driven modern browsers (e.g., Chrome, Firefox, Safari, and Edge) to implement the same-origin policy as the basic access control policy. The same-origin policy, however, in practice, faces the problems including handling security threats introduced by the third-party scripts, limiting the permissions of same-origin frames, assigning more permissions for cross-origin frames when they collaborate with browser's other mechanisms. It also cannot guarantee the safety of cross-domain or cross-origin communication mechanisms and the security under memory attacks. This paper reviews the existing researches on browser's same-origin policy security. Firstly, this paper describes the same-origin policy rules, followed by summarizing the threat model for researches on same-origin policy and the research directions, including insufficient same-origin policy rules and defenses, attacks and defenses on cross-domain and cross-origin mechanisms, and same-origin policy security under memory attacks. Finally, this paper prospects the future research direction of browser's same-origin policy security.