A signed applet/activex/etc. or browser plugin signed by a different authority, or under some kind of multi-party audit and control.
There is definitely something to building "hostproof" applications. Javascript delivered from the same host isn't how to do it. The long-term solution is probably some kind of packaged thing similar to a binary, and some means of separating out who controls the server infrastructure from who controls that code. Even if it's the same organization, there's no need for the code signing key to be "live" on the Internet, so someone who compromises front end servers shouldn't be able to compromise the binaries.
Browser java hasn't lived up to any of its promises, and I'm not sure about native code execution mechanisms. webcrypto might be a way to solve this general problem in the future.
There is of course the bootstrapping problem when you first visit a site, but there are out of band ways to try to address that.
The other option is just to give up and do mobile stuff; a mobile development framework combined with server-side development framework designed to build "hostproof" stuff would be pretty cool. You get a trusted platform, potentially can do trusted stuff server side too, have a reasonable third party for distributing updates (at least on iOS) with some level of auditing in case of a bad app being served, etc. The problem is that if you can't trust Apple, you're kind of doomed; the ideal would be a per-enterprise root of trust, where no one else has the ability to push OS/app updates, and can actually verify how the hardware works. There was some work done by NSA with Android in that direction.
There is definitely something to building "hostproof" applications. Javascript delivered from the same host isn't how to do it. The long-term solution is probably some kind of packaged thing similar to a binary, and some means of separating out who controls the server infrastructure from who controls that code. Even if it's the same organization, there's no need for the code signing key to be "live" on the Internet, so someone who compromises front end servers shouldn't be able to compromise the binaries.
Browser java hasn't lived up to any of its promises, and I'm not sure about native code execution mechanisms. webcrypto might be a way to solve this general problem in the future.
There is of course the bootstrapping problem when you first visit a site, but there are out of band ways to try to address that.
The other option is just to give up and do mobile stuff; a mobile development framework combined with server-side development framework designed to build "hostproof" stuff would be pretty cool. You get a trusted platform, potentially can do trusted stuff server side too, have a reasonable third party for distributing updates (at least on iOS) with some level of auditing in case of a bad app being served, etc. The problem is that if you can't trust Apple, you're kind of doomed; the ideal would be a per-enterprise root of trust, where no one else has the ability to push OS/app updates, and can actually verify how the hardware works. There was some work done by NSA with Android in that direction.