When ResourceHandle already has credentials provided via XMLHttpRequest argument or a URL, it shouldn't ask make a canAuthenticateAgainstProtectionSpace delegate call. If the client doesn't implement UI for password authentication, and thus returns false, CFNetwork won't call didReceiveAuthenticationChallenge, so we won't use the existing credentials. We should only go ask the client if the existing credentials turned out to be incorrect.