[DrCatbox]

You misunderstood the vulnerability here a bit.

It works even when you have "passive observation". All you need is two things 1) to make the victim run your JavaScript, irregardless where you make your victim fetch and run your script. And 2) sniff his packets to see what is going over the wire. You can do both things very easily for example in a caffe on an open WiFi network. Or in a caffe with WPA2 where you and your victim are on the same wifi, using the same password from the caffe. (Arp poisoning your victim...)

Take the "you and victim are at secure wpa2 caffe", the bartender gives both of you the wifi password. You perform an ARP poisoning on your victim, now all his communication goes through your computer, you act as gateway for him. Now you have 2 from above. Then you can for example replace his request for a http://cdn.google.com/jquery.js with your own jquery.js spiced with this new CRIME fancy JavaScrip as well, in which you just create a lot of img elements with src set to say https://facebook.com. And so on as described in CRIME you can reveal the victims session cookie for example.

The tools to perform arp have been around since the stone age, the tools to serve your victim your own .js for some random request of his over http have also been around since the stone age. And now we have crime to reveal parts of the victims supposedly secure communication channel as well.