No, its .read if its something a user with read-only access should have access to and .write if its something that requires full read/write access.
Do not equate read and write with get and post - there may be things that only a user with full access is allowed to read.
Any endpoint that has needsPermission will require the auth header to be set to access. jQuery is setup by us to add that header for any request - so your $.ajax requests will work.
The <script> loading of xterm.js won't work because the browser doesn't know to add the auth header.
In general though, loading static javascript resources don't need to be behind an endpoint protected by needsPermission. So the fix would be to add a separate endpoint for serving these resources and don't use needsPermission on it.
