I just discovered that nsWebSocketEstablishedConnection throws NS_NOT_IMPLEMENTED when accessing securityInfo readonly attribute though it keeps reference to the socket transport where from we can easily obtain the security info.
When the web socket instance is secure it reports it self as non-secure, I don't think it is a good idea.
If anybody doesn't object I'll implement the method properly.
in the websockets -06 patch, nsWebSocketEstablishedConnection no longer implements nsIChannel - so strictly speaking it makes this a nop.
That same patch introduces nsIWebSocketProtocol, which largely plays the role of what established connection used to do, and that idl does define and implement the securityInfo attribute.
fixed as part of 640003