Is there any way to prevent or detect a man-in-the-middle attack over plain HTTP?
I want to run a javascript applet on a client machine with confidence that the code wasn't modified. Are there any clever tricks to sign the code or deliver it safely without going the usual route of HTTPS and a certificate?
No, not really. By the time you make it secure, you'll have had to reinvent at least 90% of HTTPS (or something very similar, anyway) -- but probably have done an inferior job of it. No insult intended, but very few people are capable of designing something like this adequately. The usual is for a specialist (or a few of them) to design it as well as they can, and still plan on having to fix at least a few problems over the next few years as more cryptanalysts look at it. Chances of a non-specialist getting it right the first time are right up there with those of winning a major lottery and being hit by lightning at exactly the same moment.