signed code bundles with sts must-staple style semantics for preventing downgrades sounds reasonable. would probably also need some kind of protection in the browser runtime that prevents/limits scope of changes to execution that can be evoked via web resources outside of that bundle.

kinda starts to point towards a move from traditional www domain/location security semantics to abstract identity based approaches.