Handling of 401 Unauthorized by XMLHttpRequest instead of user agent

[WilliamQAFE]

Right now when specifying Authorization headers, upon the request returning a 401 status code the user agent will handle the request by asking for credentials (modal). However, one might want to be able to handle this response through the iron-ajax response callback function. To solve this the xhr.open() function has to be modified according to the following w3c spec:

If the user agent supports HTTP Authentication and Authorization is not in the list of author request headers, it should consider requests originating from the XMLHttpRequest object to be part of the protection space that includes the accessed URIs and send Authorization headers and handle 401 Unauthorized requests appropriately.

If authentication fails, Authorization is not in the list of author request headers, request username is null, and request password is null, user agents should prompt the end user for their username and password.

If authentication fails, Authorization is not in the list of author request headers, request username is non-null, and request password is non-null, user agents must not prompt the end user for their username and password. [RFC2617]

End users are not prompted if username/password are provided through the open() API so that authors can implement their own user interface.

See: http://www.w3.org/TR/XMLHttpRequest1/ and http://www.w3.org/TR/XMLHttpRequest1/#dom-xmlhttprequest-open

The solution for this would be to add the ability to specify the username and password as parameters in the xhr.open() function. e.g.

xhr.open(
    options.method || 'GET',
    options.url,
    options.async !== false,
    options.username,
    options.password
);

Of course a check will have to be made whether or not the username and password are actually provided. I will leave that implementation up to you.