If a user tries to access a page which is protected by content-security-filter (as opposed to uri-security-filter, which is located before the cache and gzip filters), the error page is simply not served. This is fairly obvious when looking at the code:

        if (statusCode != HttpServletResponse.SC_OK) {
            return;
        }

This links back to MAGNOLIA-2178, but

• commenting that bit out seems to work fine (tried Safari 3.0.4, 3.2.1, 4.0.3, Firefox 3.0.4), I can't seem the reproduce the problems of MAGNOLIA-2178
• I'm trying to see what changes could have made this work/fail before, but I can't quite see it right now.

Given the current code of GZipFilter, if there was indeed an incompatibility between error pages headers and the fact these pages are gzipped, we could anyway easily serve those non-zipped. (it wasn't that trivial when GZipFilter was wrapping the response's output with a GZipOutputStream)