I wish to use XHR to log in a site that utilizes HTTP fundamental authentication. The next piece performs this.

http = new XMLHttpRequest();
http.open("get", "http://...", false, username, password);
http.send("");

The issue is this doesn't work from the domain that's not the same as the main one in which the authentication is. The answer is straightforward enough: set the Access-Control-Allow-Origin header to *. And So I transformed my Apache configuration for this:

<Location />
    Header set Access-Control-Allow-Origin "*"

    AuthType Basic
    AuthName "trac"
    AuthUserFile /home/admin/development/pass.htpasswd
    Require valid-user
</Location>

Reactions from that page seem like:

HTTP/1.1 401 Authorization Required
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 345
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 11 Sep 2011 01:17:55 GMT
Keep-Alive: timeout=15, max=100
Vary: Accept-Encoding
WWW-Authenticate: Basic realm="trac"

The reactions don't have the Access-Control-Allow-Origin header. This appears strange.

After I make use of the same Header directive for that inside pages, the header is placed.

Why was the header not set? How can you set the Access-Control-Allow-Origin header for that HTTP fundamental authentication response in Apache?