When being anonymous on an instance that is secured, if Overall/Read hasn't been granted to Anonymous, then retrieving the script.js from the plugin will issue a 403.
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
This prevents elements from the login page from being properly decorated.