“wss works on both http and https” ??? This is a strange phrase.
wss
is secure only because it means “WebSocket protocol over https“. WebSocket protocol itself is not secure. There is no Secure WebSocket protocol, but there are just “WebSocket protocol over http” and “WebSocket protocol over https”. See also this answer.
As the author of nv-websocket-client (WebSocket client library for Java), I also doubt the phrase “if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secure” in the answer by oberstet.
Read RFC 6455 (The WebSocket Protocol) to reach the right answer. To become a true engineer, don’t avoid reading RFCs. Only searching technical blogs and StackOverflow for answers will never bring you to the right place.