diff --git a/components/script/dom/xmlhttprequest.rs b/components/script/dom/xmlhttprequest.rs
index d81bfe4ab7c4..0f0fbecf66fb 100644
--- a/components/script/dom/xmlhttprequest.rs
+++ b/components/script/dom/xmlhttprequest.rs
@@ -60,6 +60,7 @@ use string_cache::Atom;
 use time;
 use timers::{ScheduledCallback, TimerHandle};
 use url::Url;
+use url::percent_encoding::{utf8_percent_encode, USERNAME_ENCODE_SET, PASSWORD_ENCODE_SET};
 use util::str::DOMString;
 
 pub type SendParam = BlobOrStringOrURLSearchParams;
@@ -293,7 +294,9 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
     }
 
     // https://xhr.spec.whatwg.org/#the-open()-method
-    fn Open(&self, method: ByteString, url: USVString) -> ErrorResult {
+    fn Open_(&self, method: ByteString, url: USVString, async: bool,
+                 username: Option<USVString>, password: Option<USVString>) -> ErrorResult {
+        self.sync.set(!async);
         //FIXME(seanmonstar): use a Trie instead?
         let maybe_method = method.as_str().and_then(|s| {
             // Note: hyper tests against the uppercase versions
@@ -324,10 +327,11 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
 
                 // Step 6
                 let base = self.global().r().get_url();
-                let parsed_url = match base.join(&url.0) {
+                let mut parsed_url = match base.join(&url.0) {
                     Ok(parsed) => parsed,
                     Err(_) => return Err(Error::Syntax) // Step 7
                 };
+
                 // XXXManishearth Do some handling of username/passwords
                 if self.sync.get() {
                     // FIXME: This should only happen if the global environment is a document environment
@@ -336,6 +340,21 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
                         return Err(Error::InvalidAccess)
                     }
                 }
+
+                if parsed_url.host().is_some() {
+                    if let Some(scheme_data) = parsed_url.relative_scheme_data_mut() {
+                        if let Some(user_str) = username {
+                            scheme_data.username = utf8_percent_encode(&user_str.0, USERNAME_ENCODE_SET);
+
+                            // ensure that the password is mutated when a username is provided
+                            scheme_data.password = match password {
+                                Some(pass_str) => Some(utf8_percent_encode(&pass_str.0, PASSWORD_ENCODE_SET)),
+                                None => None
+                            }
+                        }
+                    }
+                }
+
                 // abort existing requests
                 self.terminate_ongoing_fetch();
 
@@ -359,10 +378,8 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
     }
 
     // https://xhr.spec.whatwg.org/#the-open()-method
-    fn Open_(&self, method: ByteString, url: USVString, async: bool,
-                 _username: Option<USVString>, _password: Option<USVString>) -> ErrorResult {
-        self.sync.set(!async);
-        self.Open(method, url)
+    fn Open(&self, method: ByteString, url: USVString) -> ErrorResult {
+        self.Open_(method, url, true, None, None)
     }
 
     // https://xhr.spec.whatwg.org/#the-setrequestheader()-method