BREACH attack in HTTPS


This attack is old and works against HTTP compression like gzip. This is possible when an attacker can find a secret in HTTP response when the server accepts a query parameter and reflect back in response, and calculating gzip size.

But, how can the attacker calculate the size? Can domain raise a request to and measure the size of gzip response when same origin policy is in place?

If the attacker has to calculate the gzip size by doing MITM, then the TLS in HTTPS will prevent that. What am I missing here?