This is a technique that's been in use for about a decade (in GenPass and SuperGenpass). There are, in fact, flaws in an all JavaScript bookmarklet solution, as the site you're visiting can snoop your JavaScript data structures and could readily figure out your master password. This is resolved by use of a Google extension that does not share a JavaScript interpreter with the page you're visiting; and it's reportedly been fixed in the bookmarklet version of SuperGenPass though I haven't read it to see how it is resolved.
But, your suggestion of a JS function that take the domain and secret key is how the GenPass and SuperGenPass bookmarklets have worked for years (and the flaw in that method has only been fixed this year, I think).
But, your suggestion of a JS function that take the domain and secret key is how the GenPass and SuperGenPass bookmarklets have worked for years (and the flaw in that method has only been fixed this year, I think).