Is an API vulnerable to BREACH if HTTP compression is only enabled for endpoints that are authenticated using bearer tokens?
Let's assume an API returns sensitive information (e.g. medical or financial) to authenticated users only.
In some circumstances responses may include information the user supplied in the request (e.g. if the user updates some text property of an entity in a PUT request and the 200 response includes the updated property value).
We'll also assume that response payloads are large enough that HTTP compression is worthwhile, avoiding any discussion of why one might want to enable it in the first place.
Any request without a valid bearer token in the authorisation header returns a 401.
According to breachattack.com, the combination of HTTP compression and sensitive responses containing reflected user input would make the API vulnerable to BREACH.
Other resources seem to suggest that BREACH relies on an attacker exploiting XSRF to issue requests, which shouldn't be possible with bearer auth.
Are there still ways in which BREACH vulnerabilities can be exploited against this API?
