Error responses are not processed by Play Plugins and headers are stripped

[Fraserhardy]

Play Version 1.5.x - 1.7.x

Operating System (Ubuntu 15.10 / MacOS 10.10 / Windows 10)

Ubuntu

JDK (Oracle 1.8.0_72, OpenJDK 1.8.x, Azul Zing)

Paste the output from java -version at the command line.

Expected Behavior

If the application returns a 404, 500 or other error code, I'd expect any changes to the response to still apply. For example setting of security headers such as X-Frame-Options, or Content-Security-Policy.

Actual Behavior

When returning a 404 or 500 (and other errors), the resulting response is a 'new response' created within play.server.PlayHandler#serve404 which does not contain any headers.

This means that if you have a Play Plugin which is designed to add security headers, those headers are not present on error responses.