By saving the HTML file and opening your local copy. You can audit the code and verify yourself that nothing will go over the wire unencrypted to their servers, so you get the benefit of them hosting the encrypted passes without having to trust them with your data. If you want it available anywhere, you don't want to save the file locally, and you don't trust the host, just host it yourself or grab it from Github.
> And hoping it includes all the java it needs, and doesn't go out and pick up some 3rd party library?
What Java? It's a self-contained, monolithic HTML file with JS and CSS inline. What dependency are you imagining you're not going to have?
> You would have to audit it to ensure it never includes everything else, or posts anything externally with every release.
Exactly as you would with KeePass, or any other conceivable solution. If you don't want to audit future releases, save the last one you audited and use that.
Don't forget to audit your browser (the thing without a version number anymore and with various metatemplates and it dynamically downloads on every load) and it's implementation of ECMAScript. But everyone already knew that.
By that logic, you can't know KeePass is safe without auditing Mono, your compiler, your checksum tool, the editor you used for the audit, the logic gates of your CPU, etc. Auditing anything is impossible.
If you can't get a copy of Firefox that you trust hasn't been altered as part of a conspiracy to make you believe OneShallPass is a legit password manager, you've got bigger problems.
By saving the HTML file and opening your local copy. You can audit the code and verify yourself that nothing will go over the wire unencrypted to their servers, so you get the benefit of them hosting the encrypted passes without having to trust them with your data. If you want it available anywhere, you don't want to save the file locally, and you don't trust the host, just host it yourself or grab it from Github.