HTML

Cross-Domain POST Requests: Practice and Theory

The simplest idiotic question broke the brain in the morning.
Here we have popular sites and services on the Internet, thousands of them. Take for example vk.com (or change it to <any other site you know> if you wish).
On this site, you can log in with your account. And after logging in to do all sorts of destructive things like deleting <something> operations. These operations are called, as usual, by a POST request, cookies are transmitted in it, everything is as always.
Actually, the question that haunts me is: what prevents me, as an attacker, from creating an html page, when entering which a person authorized on the victim site would perform an arbitrary action under his account on this site without his own knowledge?
Well, something like, exaggerating:

<form action="http://vk.com/actions.php" method="POST">
<input type="hidden" name="delete_my_profile" value="yes i am shure">
<input type="submit">
</form>

The essence of the emerging contradiction is that, on the one hand, I have now thrown such forms on two domains, and when you enter one, the actions on the second are performed perfectly, and on the other hand, if it worked for services, then the network that we know in general, it would no longer exist =)
What did I miss?