No, it doesn’t send the pass phrase to the server.
I haven’t looked at the code but I think the way it works is when you access Quick Access URL, it downloads Counterwallet (wallet s/w) in the browser, asks you to enter the password, at which point the password is used to derive wallet pass phrase from the URL.
I think one risk is that the URL might be intercepted, and then the attacker could brute-force the password for Quick Access URL. Because the connection is encrypted with HTTPS, the attacker either needs to break that, or break into Counterwallet server, and then brute-force your password. But if the latter happened they’d probably let you download something else and not Counterwallet code. The 12 word pass phrase is also not secure from the latter attack, so although Quick Access URL seems less secure, neither can handle the issue of the server falling under an attacker’s control. I don’t know if there are Web wallets that solve this problem better, though.