I think what xtacy means by MITM is that the javascript sent by the server might be MITM'd and altered to return a different value than the actual hash.
But for instance, if I'm trying to SHA1 a Windows 8 iso (the kind which I imagine would be by far the most common use case - in which a cryptographically secure hash algorithm isn't even a prerequisite any checksum would do).
It's not any worse than downloading the sha1sum app from any http site.
No, it's worse than downloading the "sha1sum" app, because you only have to download "sha1sum" once. You can use a variety of out-of-band methods to verify the file that you can't reasonably or cost-effectively do with a website.
A website is essentially "installed" every time you visit it.
But for instance, if I'm trying to SHA1 a Windows 8 iso (the kind which I imagine would be by far the most common use case - in which a cryptographically secure hash algorithm isn't even a prerequisite any checksum would do).
It's not any worse than downloading the sha1sum app from any http site.