I’ve got a question about the recent BREACH attack against HTTPS payloads.

I’ve got a question about the recent BREACH attack against HTTPS payloads.

Except for SPDY, this only applies to cases where the secret is in the HTTP body, not the header, right? Because gzip compression is a Content-Encoding on the payload while the cookie and other header fields are sent encrypted but uncompressed, yes? Or does TLS offer compression of the full pipe?

http://arstechnica.com/security/2013/08/how-do-you-stop-https-defeating-breach-attacks-let-us-count-the-ways/