Ow, my brain. People forget how hostile an environment Javascript is for trusted code. It's not just that you can stage an elaborate man-in-the-middle attack; it's that anything that allows you to run code in the same JS instance can sabotage the encryption. That includes MITM, but it also includes XSS and Javascript injection, JSON injection, and it applies to every source of script and DOM content that builds up the page.