You misunderstood the attack
The javascript is being slipped into a http response from a site other than the target https site.
The trouble is, people visit https and http sites at the same time. If the target is logged into a https page, and then visits a http page on a different site. You can inject stuff into that http page that will initiate requests against the target site.
Eg, you could stick this bit of code in the http page if the target site is vulnerable to CSRF:
<img src="https://target.site.example.com/changepassword.cgi?newpassword=foo">
And if the target site doesn't use Strict-Transport-Security, and hasn't set the Secure flag on their cookie, you can cause the browser to initiate a non-ssl http request against the target to leak their cookie by simply slipping this into some unrelated http request to a different site:
<img src="http://target.site.example.com/">
You'll notice how both of those attacks work against browsers that have javascript disabled. This is why I use the Firefox addon RequestPolicy alongside NoScript.