ok, is the idea that the HTML file with the 'secret' string is sitting on the client's hard-drive being accessed as a local file and presumably previously copied there in some secure manner? that wasn't clear to me from your initial description but it sounds like that must be what you're doing. (i had been assuming that all files involved were sent over from the webserver).
if this is the case, then i agree with jonnyfolk and perrin below that having the client enter a password is somewhat superflous. you already have a shared secret, just use it as the password over an SSL connection. don't bother with javascript.
anders pearson