Everywhere I look for solutions to mitigate this vulnerability, I find something like:
Just disable http compression.
Well, that's a pain, because compression save a lot of bandwidth and also make your webpages load really faster. Moreover, what I read about BREACH, is that compression length can be used by an attacker to read some (potentially secret) information inside the compressed document.
Now, let's admit I do have some secret information in pages I load, that doesn't mean static resources like CSS or JS have too.
So, is it a solution to disable compression only for html pages (dynamic or not) and enable compression for non-secret resources like CSS or safe JS?