The browser would obviously have to be smart enough to mark code that came from any sort of http source, even those embedded in https pages or https loaded by http pages, as non-executable. That would probably be the easiest way to do it anyway. Once we hit http, the level of trust drops and stays dropped.

Having thought about this a bit more, that would be an browser option that we could use today without any general convention. Turning on the "No script execution without https" option would break very little and would prevent more than just MITM attacks.