重點在於 Our Solution 這段的開頭：
We decided to use selective compression, compressing only non-secret parts of a page, in order to stop the extraction of secret information from a page.
透過 regex 判斷那些東西屬於 secret token，然後對這些資料例外處理不要壓縮，而其他的部份就可以維持壓縮。這樣傳輸量仍然可以大幅下降，但不透漏 secret token。然後因為這個想法其實很特別，沒有被實證過，所以成立了 Challenge Site 讓大家打：
We have set up the challenge website compression.website with protection, and a clone of the site compression.website/unsafe without it. The page is a simple form with a per-client CSRF designed to emulate common CSRF protection. Using the example attack presented with the library we have shown that we are able to extract the CSRF from the size of request responses in the unprotected variant but we have not been able to extract it on the protected site. We welcome attempts to extract the CSRF without access to the unencrypted response.
這個方向如果可行的話，應該會有人發展一些標準讓 compression algorithm 不用猜哪些是 secret token，這樣一來就更能確保因為漏判而造成的 leaking...