Tobias Boelter:

1) Summarize same-origin policy.
An origin is a source of authority identified with the tupel (protocol, domain name, port). The same-origin policy specifies that an origin’s resources should be readable only by content from the same origin. 

2) What is the interface through which two different tabs with different origins can talk to each other, in a way permitted by same-origin policy isolation?
postMessage, a concept similar to inter-process communication. My using this API the origins can specify a well-defined API they expose and also sanitize and check requests.

3) In many cases, the CSRF attack involves two different origins, the origin of a compromised web server and the origin of the target web server. So why isn't the CSRF attack prevented by the same-origin policy?
The same-origin policy does not prevent exfiltrating data. Specifically, requests to other origins are possible, it’s just impossible for the requesting origin to read the result, but if the request has an effect on the other system’s state, there is no way to prevent this.