--- a/src/network/access/qhttpnetworkconnection.cpp	Wed Jun 23 19:07:03 2010 +0300
+++ b/src/network/access/qhttpnetworkconnection.cpp	Tue Jul 06 15:10:48 2010 +0300
@@ -343,9 +343,16 @@
                 copyCredentials(i,  auth, isProxy);
                 QMetaObject::invokeMethod(q, "_q_restartAuthPendingRequests", Qt::QueuedConnection);
             }
+        } else if (priv->phase == QAuthenticatorPrivate::Start) {
+            // If the url's authenticator has a 'user' set we will end up here (phase is only set to 'Done' by
+            // parseHttpResponse above if 'user' is empty). So if credentials were supplied with the request,
+            // such as in the case of an XMLHttpRequest, this is our only opportunity to cache them.
+            emit q->cacheCredentials(reply->request(), auth, q);
         }
-        // changing values in QAuthenticator will reset the 'phase'
-        if (priv->phase == QAuthenticatorPrivate::Done) {
+        // - Changing values in QAuthenticator will reset the 'phase'.
+        // - If withCredentials has been set to false (e.g. by QtWebKit for a cross-origin XMLHttpRequest) then
+        //   we need to bail out if authentication is required.
+        if (priv->phase == QAuthenticatorPrivate::Done || !reply->request().withCredentials()) {
             // authentication is cancelled, send the current contents to the user.
             emit channels[i].reply->headerChanged();
             emit channels[i].reply->readyRead();