I’m making a chrome extension that requires fetching an xml file from a secure server.

I’m currently using XMLHttpRequest() to make a call to the server

https://username:password@mydomain.com

which returns an xml object that I can parse and display. I want this extension to be available for more than just my hobby use, so it needs an options page to set and store the username and password.

How should I store the user password in chrome so that it is secure? chrome has a localStorage global for each extension that allows extension authors to store data, but it is stored in plain text. it doesn’t allow extensions to access the ‘remember my password’ storage(with good reasons).

and is there a more secure way to do http auth? My current way of doing things requires passing the username/password in plain text in the url each time the function is called, even if the the authentication session hasn’t expired.