The changes of XWIKI-21811 have been reverted on 15.10.x so this won't affect the 15.10.9 release.

I just found that actually, in the webjar resource handler, not just the context user is null but also the context author. We can thus neither use getDocumentAsAuthor() nor programming rights to access the document without rights check. So I think there is no chance we can get the configuration into the webjar. I see three fixes:

1. Revert the changes also for 16.3.1
2. Put @Authenticate on WebJarsResourceReferenceHandler to put a user into context. This could have unintended side effects Thomas Mortagne
3. Don't inject the sources into the JavaScript file but instead inject them, e.g., in a script element with an ID as JSON or put them in an attribute of the headerglobalsearchinput element and parse them from there. From all I can see, the sources are completely private in the JavaScript file so this should be possible but it could still cause breakage if some code uses an element headerglobalsearchinput without providing the sources.

For 16.3.1 the best option seems to revert but then for 16.4RC1 we need another solution.