I’m sure Florent B’s solutions are viable, but for retro-fitting an old test, I found that zoonabar’s solution posted to this duplicate question is easier to implement, takes considerably less code, and requires no special preparation of the test box. It also seems that it would be easier to follow for new developers looking at the code.
In short: visiting any URL with credentials before visiting the URL under test (without credentials) will cause the browser to remember the credentials.
goTo("http://user:password@localhost"); // Caches auth, but page itself is blocked
goTo("http://localhost"); // Uses cached auth, page renders fine
// Continue test as normal
This may feel like a vulnerability in the browser which will be patched, but I think this is unlikely; the restriction has been imposed to avoid phishing risks (where the username chosen looks like a domain, e.g. “http://google.com:long-token-here-which-makes-the-real-domain-disappear@example.com/“), and this workaround for setting credentials doesn’t pose the same risk.