[amaccuish]

and if said "compromised" server simply decides to not supply the js that hashes the password?

[naasking]

Thanks for saying it. Client-side scripting can't protect against a compromised server when the client scripts are provided by that same server.

[the_clarence]

The answer is that it depends. We could be talking about protected js with SRI, signed updates with an electron client, a browser plugin or native hashing, a protocol similar to SSH that hashes the client pw, etc.