XMLHttpRequest is now forbidden from local files, and WebSocket should be, too.
<rdar://problem/7444841>
It's not true that XHR is forbidden - it just becomes cross-origin. So, WebSocket behavior matches current XHR behavior.
XHR is not necessarily cross-origin from a file. It could be accessing another file URL or localhost or a non-standard scheme like data: or javascript (which may or may not have a parsable origin encoded in the URL).
We support a number of different policies for the security origin of file URLs, including treating every file URL as a different origin (which is the most secure option).