You are right, I wasn't. However, the solution to this is to not use passwords with plain-HTTP sites. Incognito mode will prevent a small surface of drive-by attacks, but the bigger problem if plaintext passwords in cleartext on the wire are also terrible.