Clearly what we need is cryptographically-signed JavaScript and CSP pinning.

(I’m only half joking)

EDIT: oh, CSP pinning is actually a thing that’s been proposed https://www.w3.org/TR/csp-pinning/