I read about the CRIME - How to beat the BEAST successor? question and answer, but I don't understand that: If Javascript can be injected and run on the attacked machine, why not directly sending the secret cookie as an AJAX request to a remove server hosted by the attacker?
Quote:
Suppose that the attacker uses some JavaScript code which can send arbitrary requests to a target site (e.g. a bank) and runs on the attacked machine;
Because the JavaScript will be running from a different origin - the Same Origin Policy will prevent example.org from grabbing the cookies from bank.example.com.
Example.org does not even have to have been compromised. A Man-In-The-Middle attacker (let's call her Mallory) could have intercepted a connection from the victim (let's call him Bob) to the benign site Bob visits over plain http. e.g. http://example.org.
Mallory injects some JavaScript into the responses received from example.org which will run in Bob's browser. Because this JavaScript is received from example.org in the eyes of the browser, this JavaScript cannot access cookies on bank.example.com. Mallory cannot manipulate traffic to bank.example.com because this connection uses https, and all cookies are marked secure and/or HSTS is used.
However, using the CRIME attack, Mallory can use the JavaScript to send requests from example.org to bank.example.com and then monitor the network traffic. With enough traffic sent to bank.example.com, Bob's cookie values can be determined.
The JavaScript is not injected on bank.com, it's run on compromised.com that you visit or are tricked into visiting. The JavaScript on compromised.com makes requests to bank.com on your behalf.
The attacker must also be able to view your network traffic, such as at a Wi-Fi hotspot.
In addition to Neil's answer if a cookie is marked as HttpOnly it will be inaccessible via javascript and therefore you cannot pass it on to the evil server.
