For a quick example go to https://httpbin.org/ and try this out in the console:
```
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://foo:b...@httpbin.org/basic-auth/foo/bar');
xhr.send();
setTimeout(function () { alert('Your password is: ' +
performance.getEntriesByType('resource').pop().name.split('@')[0].split(':').pop()
)}, 500);
```
Using basic auth may not be a great idea, but people still do,
inadvertently exposing passwords to other javascript on their pages.
