Consider not exposing `exception` error attribute by default

[vpavic]

By default, ErrorAttributes will expose exception attribute which can be considered information leakage similarly to #4730. IMO the exception attribute shouldn't be included by default but rather only using a mechanism similar to one used to include trace attribute.

To clarify using a sample:

@RestController
class AppController {

        @GetMapping("/")
        String home() {
                throw new RuntimeException("Sample error message")
        }

}

Running this with Spring Boot CLI and hitting the home handler will yield:

HTTP/1.1 500 
Connection: close
Content-Type: application/json;charset=UTF-8
Date: Wed, 04 Jan 2017 16:34:22 GMT
Transfer-Encoding: chunked

{
    "error": "Internal Server Error", 
    "exception": "java.lang.RuntimeException", 
    "message": "Sample error message", 
    "path": "/", 
    "status": 500, 
    "timestamp": 1483547662254
}

[philwebb]

It would nice to provide an easy way to do this, but it should be possible already by using your own ErrorAttributes implementation.

[snicoll]

Closing in favour of PR #8971