http://www.vsecurity.com/download/tools/fbha-poc_0.1.zip is a proof of concept of using xmlhttprequest to allow html form-based auth but using http auth underneath instead of cookies. On Firefox, IE, Safari, and Chrome, it uses http auth, but does not pop up any browser password dialog boxes. In Epiphany though, both the login and logout pages pop up a dialog. (To run the test server, download the zip file, unzip it, and just run the python script, giving it a port number.) Haven't looked in detail, but it seems like the difference might be that the other browsers never prompt for passwords on xmlhttprequest requests? (or at least, on xmlhttprequest requests that contain password arguments)