I need to make a page that will
I was thinking I could use XHR and specify the login headers directly, and then use javascript to create the iframe. Does this make sense? Will it work?
Due to the same-origin-policy your XHR approach won't work.
However, for HTTP authentication you can simply include the data in the url, i.e. the src of the <iframe>:
<iframe src="http://username:password@domain.tld/..."></iframe>
I think I don't have to mention that this should not be done if the login credentials are sensitive - they are likely to show up in the browser history.