This issue is caused by the fix to a security issue, see the advisory. It also explains how to work around that problem. However, a better solution exists since 1.537 in Plugins providing an implementation of the SecureRequester interface, e.g.:
I'm resolving this as not a defect, because it's a deliberate change because of security concerns. That it shows a content decoding error instead of "Access Denied" is a different, less important issue.