PasswordField having a Security Exposure

While using Vaadin 8.1.5, I bumped into an unusual problem with the Vaadin Password Field. If there’s the PasswordField lying out in a Form, and if I end up saving off that page as HTML, I end up seeing that password in clear text. That to me is a security exposure, since ideally Vaadin should have masked off the Password Field when the user initiated a HTML Save operation.

Tried with an old version and we seem to have this with Vaadin 7.6.x as well.

Is there any strategic solution planned to address this issue? If not, any tactical solution that I can go after?

At least currently it’s working as [described in the docs]

You should note that the PasswordField hides the input only from “over the shoulder” visual observation. Unless the server connection is encrypted with a secure connection, such as HTTPS, the input is transmitted in clear text and may be intercepted by anyone with low-level access to the network. Also phishing attacks that intercept the input in the browser may be possible by exploiting JavaScript execution security holes in the browser.

As a workaround, my first thought was creating your own custom component that encrypts the password, while it’s being entered, with asymmetric cryptography.