Fix accessing manifest behind basic auth

Apparently the manifest spec doesn't include sending credentials in an
attempt to be secure by default.

Fixes #1212.