Heh I did not know about that JS function. Not sure if it has broad support everywhere though, but that's easy to test. In this case we would use btoa: https://developer.mozilla.org/en-US/docs/DOM/window.btoa
I'd rather we add this to cordova-js for this feature then, since I think all platforms have the header support.
Yup, it will require that extra request for my method. My proposed patch was a quick and dirty code insertion without having to muck about with any other working parts - tradeoff is the extra request.
When I tested it, no - the creds in the URL are not read by the server, but who knows it might just have been the server I was testing with.