> That's correct, the problem is that it's an authentication service and while > I *could* put the credentials on the URL, it would be sending them in the > clear across the internet, which is not acceptable.
That's a tough one. A typical jsonp implementation uses either iframes or (in jQuery's $.ajax case) a dynamically-inserted script tag. Neither allows you to affect the header that's sent. And of course XMLHTTPRequest lets you jiggle headers but doesn't allow cross-domain requests. Are you implementing your own cross-domain authentication service, or are you using some other service?
