I am in the middle of preparing to launch a site on my company's hosting platform. This site in particular consumes a service, provided by a server running on NodeJS. We typically secure dev sites behind some basic authentication by the web server, which is mainly done to prevent dev sites from being indexed by search crawlers. So to get past this basic authentication, I set the dev URL to follow the username:password@domain convention. I have not used this often, only for simple cases over the years. But in this case, the testing team found that ajax requests, using this convention, fail in Firefox.
At first, I thought this might be an error halting code execution (we did have a javascript error pop up occasionally), but the the ajax request failed, even when the error occurred. I also thought that maybe the request was being blocked by the CORS policy, but no.
So lesson learned. It's 2019, so let's avoid the username:password@domain convention entirely.