See an analysis of the problem here.
We had the same problem only with a recent Safari version (all other versions were fine), and the cleanest fix was to modify the "www-authenticate"
header so that it doesn't return a Basic
or Digest
challenge.
Thus, the API url will never trigger the popup (whether it's called via Ajax or directly). Up to you to decide whether it's okay for your use case.