Don't use username and password fields of xhr for authentication

[kewisch]

Using the username and password fields of xhr will sometimes cause messages like "no element found: http://username:pass@host/path/..." to show up in the error console. Not very nice to see.

Setting the Authorization header seems to work well, and there should also be an option to not pass anything and have browser/app prompt for the password, as far as that is possible. This might also allow for digest authentication easily.

[himselfv]

Please accept their changes.

Using XHR's "username/password" also triggers modern browsers to consider a CORS request to be "withCredentials". If you provide username and password and don't also do:

xhr.withCredentials = true

The request may simply fail with "readyState = DONE, HTTP result = 0" which is hard to debug.

And if you do set withCredentials, this opens another can of worms. Now you can't query DAV from another server even while providing your own username/password. And if you fudge with the server to allow "withCredentials" requests from anywhere, now anyone can ask the browser to use the user's cookies to make the request. Thanks CORS for merging these two concepts together.