Firefox has had sockets for a while and has also chosen to make them available to extensions only. Even Java Applets back in the day supported sockets only if you jumped through a bunch of hoops (if I recall correctly. it's possible you could only do socket communication with JNLP or something).
As far as I know, NACL is extension/app only as a way of controlling risk to the client.
Depends on what you mean by "jumped through hoops". You could open up a socket to communicate with the host the applet came from (lots of fun defining what that meant ;-) without being signed. If you were signed... all best might be off.
Firefox has had sockets for a while and has also chosen to make them available to extensions only. Even Java Applets back in the day supported sockets only if you jumped through a bunch of hoops (if I recall correctly. it's possible you could only do socket communication with JNLP or something).
As far as I know, NACL is extension/app only as a way of controlling risk to the client.