Abandoning URL embedded identities for Basic auth

Use an `Authorization` header instead, which is a safer choice than URL embedded identities (aka `http://user:pass@example.com`). [Chrome 19 dropped support][chromium128323] for URL embedded identities in XMLHttpRequest for security reasons.

Added documentation note about how this will overwrite any existing `Authorization` header that the user may have set.

[chromium128323]: https://code.google.com/p/chromium/issues/detail?id=128323

README.md

@@ -216,6 +216,8 @@ These are the available config options for making requests. Only the `url` is re
   withCredentials: false, // default
 
   // `auth` indicates that HTTP Basic auth should be used, and supplies credentials.
+  // This will set an `Authorization` header, overwriting any existing
+  // `Authorization` custom headers you have set using `headers`.
   // The username can be supplied as `user` or `username`
   // The password can be supplied as `pass` or `password`
   auth: {

lib/adapters/xhr.js

@@ -40,15 +40,15 @@ module.exports = function xhrAdapter(resolve, reject, config) {
   }
 
   // HTTP basic authentication
-  var configAuth = config.auth || {};
+  if (config.auth) {
-  var auth = {
+    var username = config.auth.user || config.auth.username || '';
-    username: configAuth.username || configAuth.user || '',
+    var password = config.auth.pass || config.auth.password || '';
-    password: configAuth.password || configAuth.pass || ''
+    requestHeaders['Authorization'] = 'Basic: ' + window.btoa(username + ':' + password);
-  };
+  }
 
   // Create the request
   var request = new adapter('Microsoft.XMLHTTP');
-  request.open(config.method.toUpperCase(), buildURL(config.url, config.params, config.paramsSerializer), true, auth.username, auth.password);
+  request.open(config.method.toUpperCase(), buildURL(config.url, config.params, config.paramsSerializer), true);
 
   // Set the request timeout in MS
   request.timeout = config.timeout;