Yes, this one of the many problems that are still plaguing Websockets. The lack of a standard security model. Everyone is interpreting the security rules according to their taste, creating more problems than what they solve.
This is not to say that FireFox is wrong. Maybe the FF team is the only one who gets the websoscket security right, but so far there's no consensus in the various implementations.
We have spent at least the last month experimenting with browsers, security models, various server side implementations and I have to say I am largely disappointed at the current state of the Websocket "standard". It is still pretty immature and far from being production ready. Especially the client side is highly inconsistent across browsers.
Take Safari, for example. As of today there's no way to locally test an SSL websocket app without having a certified SSL certificate, which is preposterous. This is just one of a larger number of issues that are afflicting the framework at the moment. Not to mention the mobile side of things.
We're currently looking into various implementations that are mature enough and stable enough to provide solid support for the SSL side of websockets. So far the quest hasn't proved very satisfactory and we'll probably have to settle for a good-enough solution. HTML5 is still in its infancy and problems will continue to be fixed as the standard gets refined.
Sorry for the rant.
Hopefully SSL support will be available in the next release, although I cannot guarantee it 100% at this moment.
I'll post more updates along the way.
Thanks