It's not just cookies, it defines pretty much all aspects of a browser's security between websites. It sets the boundaries for cross-site scripting. It limits the scope of SSL wildcard certificates. And it's used to determine which part of the domain name gets highlighted in the URL bar.

Which kinda sucks because this is functionality that should be supported but and not require a global list to work. I should be able to set origin policy on any domain I control.