HEIST enables an attacker to conduct BREACH attack against HTTP compression and CRIME attack against TLS compression without being in a man-in-the-middle position. HEIST uses a side-channel attack involving TCP-windows to leak the exact size of any cross-origin response, without having to observe traffic at the network level. Thus, HEIST enables compression-based attacks such as CRIME and BREACH to be performed purely in the browser, by any malicious website or script, without requiring a man-in-the-middle position. HEIST stands for "HTTP Encrypted Information can be Stolen through TCP-windows". External References: https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows-wp.pdf
Mitigation: Disable third-party cookies in the browser. https://support.mozilla.org/en-US/kb/disable-third-party-cookies (Firefox) https://support.google.com/chrome/answer/95647?hl=en (Google Chrome)