diff --git a/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php b/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
index 063369df08..25e64f6377 100644
--- a/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
+++ b/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
@@ -9,6 +9,7 @@ use Drupal\Core\Config\ConfigFactoryInterface;
 use Drupal\Core\Language\LanguageManagerInterface;
 use Drupal\Core\PageCache\RequestPolicyInterface;
 use Drupal\Core\PageCache\ResponsePolicyInterface;
+use Drupal\Core\Routing\LocalAwareRedirectResponseTrait;
 use Drupal\Core\Site\Settings;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -21,6 +22,8 @@ use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  */
 class FinishResponseSubscriber implements EventSubscriberInterface {
 
+  use LocalAwareRedirectResponseTrait;
+
   /**
    * The language manager object for retrieving the correct language code.
    *
@@ -175,6 +178,15 @@ class FinishResponseSubscriber implements EventSubscriberInterface {
       // header declaring the response as not cacheable.
       $this->setResponseNotCacheable($response, $request);
     }
+
+    // BREACH attack countermeasure: don't allow compression of HTTPS responses
+    // if the Referer is not trusted.
+    if ($request->isSecure()
+      && (!$request->headers->has('Referer') || !$this->isLocal($request->headers->get('Referer')))) {
+      if ($cacheControl = $response->headers->get('Cache-Control')) {
+        $response->headers->set('Cache-Control', $cacheControl . ', no-transform');
+      }
+    }
   }
 
   /**