Forgive my ignorance, if anyone knows of an initiative that does what I am about to suggest... It's an idea off the top of my head, without too much thought: Is it about time we start to sign our javascript so that browsers will only execute the JS if it can verify the signature? I know, there are so many drawbacks, especially for those of us who are developers, but I'd value security on the Internet over the additional development overheads.
It crops up occasionally, the issue has always been the effort of client support, and that it only anchors the validity to that of the document referencing the javascript (or whatever).
These days there's an active spec underway for "Subresource Integrity" at w3: http://www.w3.org/TR/SRI/, which is pretty much exactly that, so hopefully it'll happen eventually.
Or depreciate HTTP and enforce HTTPS only?