Additional notes (present on the downstream bug in Launchpad): Disabling HTTP-level compression by default is not a decent option to solving this. Mitigation is mostly on an application level, then, however there are third-party modules that can be included (in the Universe binaries) which would add length hiding as a potential mitigation method.
A more detailed description on this whole issue can be found here on my blog, describing what BREACH is and possible mitigation methods. It also provides three possible mitigation methods, one which can be done already by default, one which can be done at application levels, and one which can be done with a separate module. http://dark-net.net/?p=49 <http://dark-net.net/?p=49> is the blog post. A considerable option is to consider including the length_hiding module touched upon in my blog post (and existing on github and maintained by a third party at https://github.com/nulab/nginx-length-hiding-filter-module). Another option is to make a change in NGINX documentation referring to BREACH not being mitigated by default, in which case this can be considered 'wontfix' with a comment included regarding that in the default config later. ------ Thomas
