I have a question on using the Authorization header across domains.
"If the user agent supports HTTP Authentication and Authorization is not in the list of author request headers, it should consider requests originating from the XMLHttpRequest object to be part of the protection space that includes the accessed URIs and send Authorization headers and handle 401 Unauthorized requests appropriately."
This bit is clear, however there is no mention of what should happen if the Authorization header is present in the author request headers and there is no HTTP Authentication (username and password) in the open call going across domains. It is implied however that the Authorization header should be disallowed:
"Request username and request password are always ignored as part of a cross-origin request; including them would allow a site to perform a distributed password search. "
Here is a specific use case:
Can someone clarify the behaviour in the spec?