I find that a rather surprising oversight from a security viewpoint.
The only way I can think of to work around this is to have your own intermediary server. This will accept websocket-only connections from clients, and in turn it will make websocket-only connections to Asterisk.
Would that work? Is there a chance that any of the content might be (accidentally) interpreted by ARI?