The reason they're not fixing the generic version of this bug ("Only present HTTP authentication dialogs if it is the top-level document initiating the auth") is because it actually does break a lot of sites and cause other compatibility issues. If you look at the bug comments (
https://bugzilla.mozilla.org/show_bug.cgi?id=647010 ) you'll see a bunch of people giving examples of where the update broke things.
I do think it should be fixed for image resources, because literally nobody does authentication through images and if they do they need to be slapped upside the head. Mention that, not in general, but just for image/video-based resources.