Theme assets served from `/uploads/` break when “Prevent anons from downloading files” is enabled

When a theme component declares assets in its about.json, Discourse stores and serves them under /uploads/.
If the site setting “Prevent anons from downloading files” is enabled, these theme assets return 404 for anonymous users because they’re treated as protected uploads.
This can break any theme or component that dynamically loads its own JavaScript — for example, the Topic List Previews component.

Steps to reproduce

1. Install the Topic List Previews component (https://github.com/merefield/discourse-tc-topic-list-previews).
2. Verify it loads correctly for both logged-in and anonymous users.
3. Enable the site setting Prevent anons from downloading files.
4. Visit the forum homepage as a logged-out user and check the browser console.

Observed behavior

• Requests for files such as

  /uploads/default/original/1X/d8ce366bd7aad8f9fc7b26b08aecc855dd6d425c.js
  

  return 404 Not Found (actually an HTML error page).

• Browser console shows:

  Refused to execute script ... because its MIME type ('text/html') is not executable
  

• Components relying on that file (e.g., preview-edits.gjs in Topic List Previews) fail to run, causing layout issues.

Expected behavior

Theme assets defined in about.json should always be publicly accessible, regardless of the “Prevent anons from downloading files” setting.
They are static assets, not user uploads, and should not inherit upload-level access restrictions.

Technical details

• Discourse version: 3.6.0.beta2 (latest)

• Component: Topic List Previews

• Relevant about.json snippet:

  "assets": {
    "imagesloaded": "assets/imagesloaded.js"
  }
  

• During theme installation, Discourse stores this file as an Upload under /uploads/default/original/....

• Enabling the anon restriction causes Discourse to block requests for that path, even though it’s a theme asset.

Proposed resolution

Theme assets uploaded via about.json should be:

• Served from a dedicated path (e.g., /theme-assets/ or /assets/)
  or
• Exempted from the “Prevent anons from downloading files” restriction.

Impact

This affects any theme or component that relies on theme assets (JS/CSS/images) dynamically loaded in the client.
Breaks major UI components for anonymous visitors when the anon download restriction is turned on.

Thanks for the super detailed description, I agree it makes sense to do something here.

I don’t think this is limited to theme assets. It seems like enabling that setting also breaks things like the site logo, favicon, etc. for anonymous users. The implementation is a complete block on /uploads/* for anon.

Are you also seeing a broken logo on your site for anon @lhkjacky?