WWW-Authenticate Header CSRF Issue

I've heard from a friend that the WWW-Authenticate header can be explicitly defined within a malicious php file on a remote server and use an image mimetype e.g. image/jpeg or image/png.

Hypothetical Situation

Say this file is malicious.com/image.php and I add this image to my forum signature on some arbitrary forum. Specifically, gaiaonline.com. When another visitor visits a thread with my post on it, they'll see the login prompt given by the WWW-Authenticate header. After the visitor/victim has input their username/password, the hacker can store it on their remote server, email it to themselves, etc.

Malicious code: <img src="malicious.com/image.php" /> containing WWW-A开发者_StackOverflow社区uthenticate header. Can be input through standard posting/BBcode.

How can this be fixed? I would think that a cross-domain access is available for this.

It can't be "fixed" except by disallowing any external images (e.g. by proxying them through your server so users never hit the real URL).