@stsc It may help to explain that the web client isn’t a web page, it’s an entire javascript application that is displayed in the context of a browser, so it is effectively the same as using a desktop or mobile client, ensuring that we don’t ever get your Master Password.
The code for the web vault can be seen here: GitHub - bitwarden/web: The website vault (vault.bitwarden.com).
Here’s a broadcast we did to talk about how this works: