Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
5.8.3
-
None
Description
The DefaultRequestExceptionHandler shouldn't write the actual Exception message to the Request header X-Tapestry-ErrorMessage in production mode.
Instead, a generic "An error occurred." should be used, as the message exposes app internals.
The client-side code in ajax.coffee only uses the header detecting if an error occurred and logging it to console.error, so its actual value is irrelevant.
Omitting the header completely would mean reworking ajax.coffee, as the header indicates that the response might contain HTML content for the exception frame.