While CRIME was mitigated by disabling TLS/SPDY compression (and by modifying gzip to allow for explicit separation of compression contexts in SPDY), BREACH attacks HTTP responses. It is important to note that the attack is agnostic to the version of TLS/SSL, and does not require TLS-layer compression. Additionally, the attack works against any cipher suite.
不過仔細看了一下，他的條件是 HTTP body 裡要有 secret 和 user generated data，所以一般沒滿足條件的 JSON 的確沒事。
The end goal is try to influence the Asynchronous Database Access (ADBA) specification.