The goal is to prevent external websites to access the resources served by a Tuleap instance. The only exception being the only resource that is supposed to be accessed cross-origin: the REST API.
This is a strong defense in depth against CSRF, cross-site script inclusion and more generally against cross site leaks.
Deploying such a policy is possible thanks to the fetch metadata headers that browsers send, see https://www.w3.org/TR/fetch-metadata/