What are (if any) the security drawbacks of REST Basic Authentication with Javascript clients?

Question

I have this application that consists of a REST back-end intended to servicing requests from an HTML5/JavaScript client (which I\'m also building).

I\'m planning on

Answer 1

CORS issues aside (assuming you're making rest calls to your same domain), the big concern is the client would need to have the credentials inside the javascript. Anyone would be able to read your code and use them (as you've pointed out).

Even if the credentials are just the users own, anything in your client side could be in danger of exposure by cross site scripting or any browser plugins that can manipulate the DOM (I'm thinking for example things like the selenium testing IDE)