Sending javascript over HTTP does technically allow for MitM attacks. Not to mention we know how great even Chrome's loudly bragged about sandbox is (it isn't is my point).
If you are loading the patch in https, all connections should be in https.