[iancarroll]

Your unencrypted (or just unauthenticated) HTML page might suddenly start sending the password you enter elsewhere...

[pdx]

Really, how? Because somebody compromised the server? So what? If they did that, all bets are off.

[dpark]

No, because someone MITMs your insecure channel and serves you a malicious page that steals your password and the unencrypted data.