Well, he's making multiple arguments, and that first one was an argument. My position is that it is a ridiculous one.
I am also not entering the discussion of native apps running UIWebView. I have zero comment on that (mainly because I'm disinterested in the subject).
My only comment is on home-screen web apps, which are 100% equivalent to opening the page on your browser. They deserve more privileges because the user had to make a decision to install them. It makes no sense to me whatsoever that a random advertisement loaded from some insecure URL on a web page is allowed to access Nitro and web cache, but a web app that I trust enough to install on my home screen is not.
Ironically, I'm actually pretty happy with this decision, because I believe all apps should be in the browser. I'm just telling it like it is when people make nonsensical arguments.
You are entering the discussion of native apps running UIWebView because (according to Gruber) that is exactly how home-screen web apps are implemented.
"My only comment is on home-screen web apps, which are 100% equivalent to opening the page on your browser."
From Gruber:
"Web apps that are saved to the home screen do not run within Mobile Safari. They’re effectively saved as discrete apps — thin wrappers around the UIWebView control."
"I'm just telling it like it is when people make nonsensical arguments."
Your failure to read and understand his arguments have made them sound nonsensical to you. This is not his fault.
I initially thought you were just splitting hairs, but seeing as you've used this argument somewhere else in this thread I think this might be a genuine thought you have so I will take the time to explain why home-screen web apps are absolutely nothing like other native apps on the system, and actually essentially the same as loading a web page in MobileSafari. So for starters, let us observe that there are three instances where JS can run on iOS that we care about:
1. MobileSafari, from a web page loaded from a URL.
2. Home-Screen Web Apps, web pages loaded from a URL that the user then 'saves to the homes screen' which are loaded in some mysterious, but APPLE WRITTEN, "wrapper" process X.
3. UIWebViews within native apps that you buy on the App Store.
Now, my position is that (1) and (2) are for all intents and purposes the same, and (3) is possibly different. So, the whole argument about turning it off for UIWebView is that the interaction between native code and Nitro might offer an additional vector of security concern. Well, in both (1) and (2), there is no user native code. It literally just either downloads the JS off the web, or reloads it straight from the web. All the native code is written PURELY by Apple. So in a world where the only user modifiable code comes from the web, then clearly this is the same as where we started with MobileSafari. The additional thing to realize, is that unlike native apps (3), home-screen web apps (2) are NOT code signed, just like web pages (1). So that also nullifies the argument that allowing Nitro on home-screen web apps would go against Apple's code signing policies.
Hopefully that explains my thinking a little bit clearer.
Once again, I am very willing to believe that they had a deadline to meet, and turning it on for home-screen web apps got punted. That makes perfect sense. The security argument however falls flat on its face.
I think Tolmasky's point was that, even though Web.app embeds the same UIWebView as non-Apple native apps, Web.app was written by Apple. Apple could enable Nitro JIT for Web.app because its native code was written (and audited) by Apple. The only third-party code executed by Web.app is JavaScript that is already assumed to be safe enough to use the Nitro JIT in Mobile Safari.
It makes a heap of assumptions though, and feels kind of like a non-techie person saying "why dont you just whip up a GUI app to trace my IP".
Enabling Nitro JIT for UIWebView for some applications without enabling it for every app in the app store is probably more difficult than toggling a switch.
You seem to confusing facts with claims on a blog written by a third party. It's not hard to believe Web.app (the process which runs home screen apps) uses UIWebView or a close cousin, but neither you nor Gruber (or anyone on this site) has offered any evidence of that fact.
I find the fact that Web.app behaves exactly like every other application that uses a UIWebView to be very compelling evidence that Web.app is an application uses UIWebView.
The alternative appears to be that to create Web.app they went to all the trouble of reusing the Mobile Safari code, and then methodically went through and broke things such that it behaves exactly like every other application that uses UIWebView.
This would seem like an unreasonable way to get an application that behaves exactly like an application that uses UIWebView.
They deserve more privileges because the user had to make a decision to install them
I think it is technically different, but on other systems, the HTML pages I put on my desktop have fewer privileges than the ones I load from web sites. (https://bugzilla.mozilla.org/show_bug.cgi?id=230606)
As to the subject at hand: one line of reasoning says that not allowing JIT-ting for home-screen apps is an oversight; home-screen apps apparently do not run in the Safari process. I guess there is no way to find out whether that is true. If Apple fixes it in the next firmware update, one could argue either that they fixed the problem, or that they stalled fixing it for as long as they could get away with, and I am sure the internet will be filled with such arguments, even if that next update appears tomorrow.
Finally, for UIWebView, a secure solution could exist: provide a system call that does "javascript source code in, executable code block out". I do not know whether that could be made performant enough, though, given that the JIT-ter must be very fine-grained, must update existing code blocks, etc. It definitely would be quite a bit of work.
I am also not entering the discussion of native apps running UIWebView. I have zero comment on that (mainly because I'm disinterested in the subject).
My only comment is on home-screen web apps, which are 100% equivalent to opening the page on your browser. They deserve more privileges because the user had to make a decision to install them. It makes no sense to me whatsoever that a random advertisement loaded from some insecure URL on a web page is allowed to access Nitro and web cache, but a web app that I trust enough to install on my home screen is not.
Ironically, I'm actually pretty happy with this decision, because I believe all apps should be in the browser. I'm just telling it like it is when people make nonsensical arguments.