You can't serve dynamically-loaded crypto code. What happens when someone hacks gmail and replaces crypto.aes.js with crypto.plaintext.js and suddenly every gmail user who thought they were sending encrypted mail are just sending plaintext messages?
Crypto code needs to be packaged/signed/verified and cannot load in code dynamically without running the risk of completely compromising its security.
This is why it's just not possible to securely serve code that does crypto in a web app. Browser extensions are the next step up, but they also have to be careful to never load code from any external locations (among other considerations they have to make when running in a browser environment).
