Firefox refuses to construct a WebSocket from WebAssembly. Specifically, Reflect.construct.bind(null, WebSocket, ["ws://localhost:8080"]) is passed as an import when instantiating a WebAssembly module.
The module immediately calls the import from the start function.

This problem can be reproduced in the latest version of Firefox Nightly (build ID 20221005094233).

Steps to reproduce

1. Download and extract the attached .zip file to some directory.
2. Open a terminal (like PowerShell).
3. Run cd <path to files> to enter that directory.
4. Run npx serve . (this assumes npm is installed on your system).
5. Open Firefox.
6. Navigate to http://localhost:3000.

Expected result

The browser attempts to establish a WebSocket connection, and no error is displayed on the test page.

Actual result

The browser refuses to attempt establishing a WebSocket connection and throws a SecurityError DOMException, which is displayed on the test page.

Apparently 7f84017ef2414cec22aca43f40250223e969ddcc is causing this bug.

[Tracking Requested - why for this release]: I believe we should try not shipping with this regression. If I'm reading the code correctly, before the regressing patch we treated the socket as not secure when there was no principal, so we should probably replace the throwing line for a return false or so.

:acreskey, since you are the author of the regressor, bug 1748005, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

Smaug, we build our last beta today (9PM UTC), would it be possible for you to write this patch as you were the reviewer for bug 1748005? I am afraid Andrew is in the wrong timezone to make it on time for the last beta. Thanks!

smaug's slack status suggests he might be on PTO, so I'll try to write a patch.

Comment on attachment 9297407 [details]
Bug 1793868 - Use the scheme of document's principal as the initial value of |isSecure|, r=#necko

Beta/Release Uplift Approval Request

• User impact if declined: Some websites could be broken.
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: N/A
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): The patch is straightforward and is verified locally.
• String changes made/needed: N/A
• Is Android affected?: Yes

Comment on attachment 9297407 [details]
Bug 1793868 - Use the scheme of document's principal as the initial value of |isSecure|, r=#necko

P1/S2, minimal patch and I think we would benefit from having it in our last beta even if it's not in Nightly yet, approved.

https://hg.mozilla.org/releases/mozilla-beta/rev/f6009869bc76

https://hg.mozilla.org/mozilla-central/rev/e258251923f9

Reproduced the initial issue using an affected Firefox nightly build from 2022-10-04.

This issue is verified fixed using Firefox 107.0a1 (BuildId:20221006214011) and Firefox 106.0b9 (BuildId:20221006191955) on Windows 11 64bit, macOS 11 and Ubuntu 22.04.