Relies on Javascript
1. have control of the victim's network and install interceptor/sniffer
2. inject - into unauthenticated HTTP responses of some 3rd site - a Javascript
3. Javascript makes cross-site probe requests to the target site
3a. Javascript cannot read responses due to cross-origin policy block
4. network sniffer intercepts probe responses and analyses them
Yet another very good example of why using HTTPS for everything, having Javascript disabled by default, monitoring, and selectively enabling, are effective protections for many attack vectors like this.
Browser add-ons like uMatrix, NoScript, etc. will all help.