It isn't and was taken into account while building this. So responding to that, this application is utilizing a secure PRNG called 'seedrandom' that produces a sufficiently random seed.
Taking this route allows entropy to be collected from local sources; such as your cookies, browsing history, scroll position, clock, native random number generator, and more. Most would agree that this is more than secure for a random seed source. Feel free to learn more about it here.
On document load, this is where all the magic happens:
The application utilizes a 7,776-word listing. The wordlist was derived from The EFF's new long list. Great compilation.
You may have noticed on the first request this site, it takes a little bit to get up and running (but hopefully not). That's because your browser is downloading the full wordlist into an array within your browser to choose from. This makes absolutely certain there are no server-side calls after the wordlist is successfully downloaded.
Future note, if there is enough of a call for it, I'd like to add functionality for custom wordlists. We'll see if this becomes popular enough to warrant it.
Command Line Access
This route comes with a BIG caveat: it should not be considered secure. Calls made to the command line via secure@xkcd-pw:~$ curl -L xkcd.pw/ is not generated locally. It is making a call to a server-side, command-line xkcd password generator.
Optionally, adding additional path parameters returns a different word count. Check out the example below.