this can be mitigated by using a browser addon to calculate and verify the web js content is matching the hash in a public code repo. That is how CTemplar Mail does it.

I'm disappointed they haven't implemented something like this.