[ from the big comment e-mail; raising as a separate issue, as requested ]
If the browser is already sending credentials for a particular protection space (to use RFC2617 terminology), XHR SHOULD send them when accessing resources in the same space. It'll need to define precedence between these and those explicitly used in a call (which would override, I presume).
In other words, if I'm already logged into a site, XHR should reuse my credentials, rather than ask me for them again.
-- Mark Nottingham [EMAIL PROTECTED]
