The exploit is notable because it doesn't require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage.

I often mentioned it, we should limit to the very strict minimum third party elements at our sites. Because we can't control them, and they can be compromised, ahead.

That being said, on pages with a form (sign-in, contact, etc...) , I NEVER insert any third party code. These pages are fully under my control. (now if the computer of the client is compromised, that's another problem).

ps: also I am using Brotli, without fallback to GZ. but I bet that one day, someone, somewhere, will find a breach in Brotli too.

I am using Brotli, without fallback to GZ. but I bet that one day, someone, somewhere, will find a breach in Brotli too

Doesn't say that the hack is limited to GZIP. I think GZIP was mentioned in the first article because it is common to most sites using file compression.

Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly.

Those upgrading their servers to support TLS 1.3 are doing so with a default of no compression.

Do you mean they are disabling compression ?

Not disabling. Default is no compression. File compression is something that is added, by various means.