Difference between Firefox and Chrome handling of CORS

In Cross-Origin Resource Sharing:

Why can cookies and authentication information not be provided by the script author for the request?

This would allow dictionary based, distributed, cookies / user credentials search.

If you send a username and password when using withCredentials, then XMLHTTPRequest.send(...) will fail in Firefox 4, but not on Chrome 11.0.696.16 dev. Removing the username and password will make it work on both of them.

I haven’t tested other versions.

Crippled example (won’t work directly):

function send_message(form) {
    $.ajax({
        'type':'POST',
        'url':'http://example.com',
        /* 'username':'username',
        'password':'password',*/
        xhrFields: {
            withCredentials: true
        },
        'async': true,
        'crossDomain': "true",
        ...
    });
}

Sending the username and password will raise an exception in Firefox even before sending anything to the url.