IMO hashing the password before sending it still is insecure, you are still holding the password in the javascript code in the browser when you don't need to. If the user presses Ctrl+Shift+J and hunts around in Chrome's debugger they can probably find the unencrypted password. Maybe no big deal if it's your password, but then it's vulnerable to javascript injection or XSS attacks that can let an attacker get the unencrypted password!
I don't see any reason at all to deal with passwords in a HTML5 app, it's always going to be insecure, and there's no reason to - you can do it all securely with the traditional cookies/session state. I strongly recommend you change your login system to never use passwords in the Construct 2 itself.