TL;DR: A website is served over HTTPS and needs to access a WebSockets server over an unencrypted channel (ws:// url). The browser doesn't like this.
Encrypting the websocket is possible, but inconvenient - there is no trusted authority which could sign the certificate and thus it will be needed to manually install it for every client. I'd like to leave that as the last resort.
The website must be served over HTTPS and cannot be downgraded to HTTP.
Is there any other way to bypass this restriction? I tried Content-Security-Policy, but it didn't work.
Vix,
The scenario you're describing is one of the scenarios that were considered to be a security issue when the restrictions against opening non-secure Websocket connections were put in place.
A user visiting a secure website (HTTPS) assumes all data is secure. The browser will not allow non-secure communication within this context (unless it has a security fault). This should include asset requests and any other requests invoked within the secure context (expect "mixed content" messages to slowly fade into history, as restrictions tighten up).
It's even worst on some browsers. For example, Safari will refuse to open a secure Websocket connection to an unsigned server even if the webpage was loaded with temporary approval for the certificate.
Is there any other way to bypass this restriction?
I'm sorry to report that the short answer to your question is "no".