I don't think either of those help if the website itself is pwned? SRI is fine if your website is secure but the CDN is pwned, the other one seems to be a defense a website can use against a malicious extension, but the risk with LastPass is if the LastPass website is pwned it can just read your password. You'd need some way to transfer essentially signed app bundles to the browser for the browser to verify, which seems like a different sort of project.
I assume ultimately something like signed releases will become a thing on the web, with the signing process being separate from the other processes so that a hack has to compromise two entirely different systems, not just the build pipeline, to allow new JS to run. Currently the only thing that is signed is the SSL certificate which of course guarantees precisely nothing about the actual website content served from the server other than that someone didn't tamper with it after it was sent.
