jsampsonPC wrote:
Is this as big of a security issue as I'm thinking?

The browser'll send cookies and WWW-Authenticate headers to the web service same as to a regular page, so security should be no different.