Recent discoveries found that the protocol that Websocket works with is vulnerable to attacks. Adam Barth demonstrated some serious attacks against the protocol that could be used by an attacker to poison caches that sit in between the browser and the Internet.
No Websocket support in Firefox 4 and Opera until the security issues are fixed
That’s why we’ve decided to disable support for WebSocket in Firefox 4, starting with beta 8 due to a protocol-level security issue. Beta 7 of Firefox has support for the -76 version of the protocol, the same version that’s included with Chrome and Safari. Beta 8 of Firefox 4 will remove that support. Anne van Kesteren of Opera also announced that Opera are dropping Websocket support. We are confident that other browser developers will follow.
What does this mean for developers?
Right now, your Websocket solutions will not work in Firefox 4 final. Once we have a version of the protocol that we feel is secure and stable, we will include it in a release of Firefox – even a minor update release. The code will remain in the tree to help development, but will only be activated when a developer sets a hidden preference in Firefox (the same applies to Opera).
If your code does proper object detection nothing should go wrong – when a user doesn’t have Websocket enabled the
window.WebSocket property will not be available.
Working on a fix
Mozilla is still excited about what WebSocket offers and we’re working hard with the IETF on a new WebSocket protocol.
Right now we are pushing the boundaries of what browsers can do for their users – this is what HTML5 is about.
Whenever you push the boundaries of any technology you will run into issues. The great thing about our situation right now is that we can react quickly and swiftly to any issues arising and fix them before our end users are the ones who suffer. Making the whole world upgrade and patch a final browser is almost impossible which is why it makes sense to test and patch in betas and nightlies.
About Chris Heilmann
Principal Evangelist at Mozilla for HTML5 and open web. Let's fix this!