`DEFAULT_EXTENSIONS` in `core/modules/file/src/Upload/FileUploadHandler.php` definitely needs extending as well. This is the list of allowed extensioned used when no custom extension validator is used in Form API.
I see the problem, it's a different thing with the same symptom. Our site is in a subdir, but also accessible via the main domain directly through a server-side redirect. The hardcoded /editor paths end up pointing to the root version, which is not authenticated. Adding the suffix in the request, makes it work, but just blindly adding it to the js or yml paths didn't do the trick. Any pointers would be helpful.
I have this issue on 9.5 as well. Is the patch supposed to work for that too? Doesn't make a difference, I still get the "forbidden" responses for the first character typed.
Thanks, can confirm the fix in 1.0.0.
Nice! Can we get a revision or minor version bump to make it easier to deploy?