Use Authorization headers for public webdav instead of URL

Instead of prepending the token as username in the URL, use the
Authorization header instead. This is because IE9 considers this a
cross-domain call and refuses to do it in the first place.

apps/files_sharing/tests/js/publicAppSpec.js

@@ -89,7 +89,8 @@ describe('OCA.Sharing.PublicApp tests', function() {
 		it('Uses public webdav endpoint', function() {
 			expect(fakeServer.requests.length).toEqual(1);
 			expect(fakeServer.requests[0].method).toEqual('PROPFIND');
-			expect(fakeServer.requests[0].url).toEqual('https://sh4tok@example.com/owncloud/public.php/webdav/subdir');
+			expect(fakeServer.requests[0].url).toEqual('https://example.com/owncloud/public.php/webdav/subdir');
+			expect(fakeServer.requests[0].requestHeaders.Authorization).toEqual('Basic c2g0dG9rOm51bGw=');
 		});
 
 		describe('Download Url', function() {

core/js/files/client.js

@@ -35,27 +35,25 @@
 		if (options.useHTTPS) {
 			url = 'https://';
 		}
-		var credentials = '';
-		if (options.userName) {
-			credentials += encodeURIComponent(options.userName);
-		}
-		if (options.password) {
-			credentials += ':' + encodeURIComponent(options.password);
-		}
-		if (credentials.length > 0) {
-			url += credentials + '@';
-		}
 
 		url += options.host + this._root;
 		this._defaultHeaders = options.defaultHeaders || {'X-Requested-With': 'XMLHttpRequest'};
 		this._baseUrl = url;
-		this._client = new dav.Client({
+
+		var clientOptions = {
 			baseUrl: this._baseUrl,
 			xmlNamespaces: {
 				'DAV:': 'd',
 				'http://owncloud.org/ns': 'oc'
 			}
-		});
+		};
+		if (options.userName) {
+			clientOptions.userName = options.userName;
+		}
+		if (options.password) {
+			clientOptions.password = options.password;
+		}
+		this._client = new dav.Client(clientOptions);
 		this._client.xhrProvider = _.bind(this._xhrProvider, this);
 	};