Login — XHR / fetch (no <form>)

No HTML form element. Inputs are styled like a form but submitted via fetch() as JSON. Tests whether an intermediary's password-typing / POST-block rules apply when there is no form context (no synchronous form submission, no application/x-www-form-urlencoded). The server responds 302 → / with cookies set, just like the form-based variants — we use fetch({redirect:"manual"}) here so you can observe the 302 directly.