Google Chrome is about to change behavior for cookies without a SameSite attribute, see https://web.dev/samesite-cookies-explained/ and https://www.chromium.org/updates/same-site. The rollout, originally planned for February/March, has now been postponed until the summer. Other browsers will eventually ship the same changes.
We're using the HTML Publisher plugin to publish LCOV-generated code coverage reports. The new SameSite behavior described above, together with the default Content-Security-Policy header, seems to break this use case. Specifically, the cookies set by Jenkins don't include a SameSite attribute and therefore are no longer being sent by the browser when the HTML report page tries to load additional resources (CSS and images), because they are considered cross-site requests. And without the session cookie, these requests are rejected by Jenkins with an HTTP 403 error.
Removing "sandbox" from the default hudson.model.DirectoryBrowserSupport.CSP setting works around the issue, but seems less than ideal.