I've heard from a friend that the WWW-Authenticate header can be explicitly defined within a malicious php file on a remote server and use an image mimetype e.g. image/jpeg or image/png.
Hypothetical Situation
Say this file is malicious.com/image.php and I add this image to my forum signature on some arbitrary forum. Specifically, gaiaonline.com. When another visitor visits a thread with my post on it, they'll see the login prompt given by the WWW-Authenticate header. After the visitor/victim has input their username/password, the hacker can store it on their remote server, email it to themselves, etc.
Malicious code: <img src="malicious.com/image.php" /> containing WWW-Authenticate header. Can be input through standard posting/BBcode.
How can this be fixed? I would think that a cross-domain access is available for this.
It can't be "fixed" except by disallowing any external images (e.g. by proxying them through your server so users never hit the real URL).