I am in the middle of preparing to launch a site on my company's hosting platform. This site in particular consumes a service, provided by a server running on NodeJS. We typically secure dev sites behind some basic authentication by the web server, which is mainly done to prevent dev sites from being indexed by search crawlers. So to get past this basic authentication, I set the dev URL to follow the username:password@domain convention. I have not used this often, only for simple cases over the years. But in this case, the testing team found that ajax requests, using this convention, fail in Firefox.
So lesson learned. It's 2019, so let's avoid the username:password@domain convention entirely.