You misunderstood the attack
The trouble is, people visit https and http sites at the same time. If the target is logged into a https page, and then visits a http page on a different site. You can inject stuff into that http page that will initiate requests against the target site.
Eg, you could stick this bit of code in the http page if the target site is vulnerable to CSRF:
And if the target site doesn't use Strict-Transport-Security, and hasn't set the Secure flag on their cookie, you can cause the browser to initiate a non-ssl http request against the target to leak their cookie by simply slipping this into some unrelated http request to a different site: