How else do you allow someone to use a password to login? I suppose you could run the hash locally if they have JavaScript-- but if they don't, then what? (Edit: Good point, all the hash achieves is that the user's entry isn't sent in clear text -- of course, the hash itself then becomes the password for the purposes of authorization.)

Running a hash locally is equally useless. You've effectively turned the hashed value into the password itself, achieving nothing.

There are secure key-exchange schemes that don't require sending over the raw password, but this isn't an example of one.

Just about every signup and login form does this (and yes preferably over TLS only). What is the problem with it?

The alternative is browser-side encryption of the password before sending but that will get @tptacek rightfully punching you in the face for even mentioning it.