[tptacek]

Do you understand how CSRF works? Just think of it in terms of CSRF. Since the attacker is trying to infer page content, they don't care that the server rejects all the probing requests, so CSRF protection doesn't help you as the attacker carries out the BREACH/CRIME stuff. If the result of the attack is an inferred CSRF token, they then cap the whole exploit off with a (now working) actual CSRF attack.

[z-factor]

I understand how the attack works, the question was about how a practical exploit would actually be carried out. I've figured out how one would issue GET requests from the right environment, but I don't know if the same is possible for POST.

[wglb]

It is just as possible. POST csrf exploits add between two and three minutes to an attacker to craft the request differently.

[tptacek]

Just in case you weren't clear on this already: CSRF works just fine against POST endpoints. Think Javascript.

[chopin]

Would it be possible to thwart this attack (BREACH) by issuing fresh CSRF tokens for each requests?

[z-factor]

Yes.