Could this be worked around with some added random-length non-redundant data so that the 3rd party can draw no conclusions from the varying responses?
Of course this works as long as the additional deceit doesn't defeat the advantages of compression and even then it still feels like security through obscurity.
This would just mean you would have to run a very large number of requests, and take an average of them. That might be trickier, but if you can persuade a page to auto-reload it sounds quite possible.
Another option, a little trickier, is that you could take user-definable values (like cookies) and not compress them. I haven't looked carefully at DEFLATE, but in many other compression systems you can choose to simply not compress a short part of the stream. This could get complicated of course.
You already need to make multiple requests (apparently 6 per byte, using a binary search like algorithm). You can do that in the background of any page using JavaScript.
This is not an effective workaround. Without your suggestion, the length of encrypted packages is f(x), where x is the chosen plaintext, and f(x) happens to be smaller if x correctly guesses one character of the secret.
With your suggestion, the length of encrypted packages is f(x) + E, where E is a random variable (noise) that does not depend on x.
Because of that, an attacker simply has to repeat the attack sufficiently many times to gather statistics on package lengths until there is one value of x for which packages are clearly shorter on average than for the rest. This is very similar to the type of sampling you would do in a timing attack.
So your suggestion does make the attack slightly more complicated, but qualitatively, the system remains broken.
But adding a random length, random comment within the body of your HTML might eliminate the correlation between a correct key character and compressed length.
The attacker controls at least part of the body such that he can select the length of the message. If the attacker pads his guess such that the total message length is N X+1, then for a successful guess the message length is NX and for a non successful one (N+1) * X. You would need too give the message a random length independent of the body to make this attack unfeasibly.
then an attacker will pad it to be close the threshold of the multiplier. The difference between X multiples and X+1 multiples will still allow the attacker to determine the difference in compression size.
Of course this works as long as the additional deceit doesn't defeat the advantages of compression and even then it still feels like security through obscurity.