If you read my later reply, you'll see that I actually prefer the way things are, I just don't like misinformation. I am perfectly capable of accepting that its a matter of engineering time to get this to work. What I am not OK with is the notion that Safari is somehow a "trusted" app where this is not a security concern, whereas a home-screen web app is a security concern. There is no such thing as a trusted browser, any random malicious ad loaded in an iframe can have access to Nitro. Home screen web apps are necessarily just as safe or more safe than web pages.
"Web apps that are saved to the home screen do not run within Mobile Safari. They’re effectively saved as discrete apps — thin wrappers around the UIWebView control."
Apple clearly believes that there are important security risks associated with their Nitro Javascript Engine.
I have no trouble at all believing that they have been able to mitigate those concerns for Safari Mobile by using a solution that is not appropriate when applied to any arbitary App that may choose to include a UIWebView.
"Web apps that are saved to the home screen", despite being "thin wrappers around the UIWebView control", are not "any arbitary App that may choose to include a UIWebView".
If they can make it work for Mobile Safari, they can make it work for a "thin wrapper" without working for all UIWebViews.
really? It seems to me that there are clear technical differences.
Im interested in your thoughts though, how would you allow one arbitarily large set of applications with arbitary names to use the Nitro Javascript engine via UIWebView, and still ensure that no third party developer could enable the ability on their own applications?
The way I would do it for a single application is enable a special case for it in the underlying OS....
Make the template app static, sign it with whatever special permissions MobileSafari has. (I'm assuming that some special permission is needed, signed by apple.)
Instantiate the app by copying it and placing the files related to the specific instance (manifest, html, cached files) in the standard mutable data directories (Documents, Cache, ...), which wouldn't affect the signature. (The name of the app and icon would have to excluded from the signature.)
If this is how things work now, I wouldn't be surprised if the lack of Nitro was just an oversight on Apple's part (i.e. they forgot to give the template app the right permissions). If home page web apps are granted a special exception to the usual app-signing, I could imagine that they can't give them these permissions without leaking them to everyone.
