BREACH concern: 'text/html' is always compressed

[teward]

By having text/html "always compressed" (as it seems zstd_types is going to do no matter what I put on that command line) you introduce a persistent BREACH risk to your data.

It would be better if you have text/html as the 'default' option for zstd_types, but allow people to override it to exclude text/html MIME types.

By forcing text/html to be compressed all the time, a compressed HTML body containing some secret information could be vulnerable to BREACH. Adjusting the defaults to allow zstd_types to be overridden to exclude text/html would help to mitigate this risk.

(Brotli is also affected by this, as is GZip and other compression modules)

[tokers]

@teward I just want it to be consistent with the ngx_gzip module at that time.

Excerpting from ngx_gzip document:

Enables gzipping of responses for the specified MIME types in addition to “text/html”. The special value “*” matches any MIME type (0.8.29). Responses with the “text/html” type are always compressed.

[tokers]

OK now let me check the BREACH out.

[tokers]

@teward Your words sounds fair enough. Since there is a potential security issue, we should fix it, this is more important than the "consistence" with other same kind of modules.

Although I don't concern the detail of BREACH attack, I will fix this issue anyway as soon as possible.