The patch applied in T180231 blocks legitimate remote access to the /vendor folder, e.g. to style, fonts, images, ...
This breaks the Chameleon skin  and possibly other skins/extensions.
A less intrusive solution to the original issue would be to use FilesMatch in /vendor/.htaccess :
<FilesMatch "\.(php|inc)$"> Order allow,deny Deny from all </FilesMatch>