At last week's Black Hat conference, researchers announced the BREACH attack, a new attack on web apps that can recover data even when secured with SSL connections. The BREACH paper (PDF) contains full details (and is a good and fairly easy read).
Given what we know so far, we believe that BREACH may be used to compromise Django's CSRF protection. Thus, we're issuing this advisory so that our users can defend themselves.
It is important to note that the attack is agnostic to the version of TLS/SSL, and does not require TLS-layer compression. Additionally, the attack works against any cipher suite. Against a stream cipher, the attack is simpler; the difference in sizes across response bodies is much more granular in this case. If a block cipher is used, additional work must be done to align the output to the cipher text blocks.