According to this old GitHub issue (
#35), it was possible to generate private key with low entropy if user don't move the mouse. But i doubt it's what @fred21 meant since user usually move their move.
Hmm, okay that I didn't know. I always thought bitaddress was using a browser CSPRNG (not math.random()) for the entropy. Mouse movement and the other variables should serve as a complement to the original entropy and shouldn't be overly-reliant on that.
Anyhow, I think this proves my point that web generation is inherently insecure.