How would you know it sent the hash to the server? It would have to tell you, and if it were undermined, they would just say, "Yep, hash checks out!" You'd really need a browser extension or something installed locally that checks the code for you, in which case you might as well just install something that does proper end-to-end encryption anyway.
What about it hashes itself, sends the hash to the server through a tunnel generated by the questionable cryptosystem. If that checks out, the server sends back a more robust cryptosystem through the questionable tunnel.
But Then we're right back where we started. Is that questionable tunnel weak enough to be considered vulnerable?
End-to-end is more easily checked for security.
To me, Javascript's good for an embedded system, no doubt about the possibility of a cryptosystem being implementable, but, it's difficult to consider it secure for many use cases.
