This specification defines an API that provides the time origin, and current time in sub-millisecond resolution, such that it is not subject to system clock skew or adjustments.
Status of This Document
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.
The base definition for the Performance interface, previously specified in [PERFORMANCE-TIMELINE],
is now moved to this specification and now includes support for the Performance.now method in Web Workers
[WORKERS];
This document was published by the Web Performance Working Group as a Candidate Recommendation.
This document is intended to become a W3C Recommendation.
Comments regarding this document are welcome. Please send them to
public-web-perf@w3.org
(subscribe,
archives)
with [hr-time] at the start of your email's subject.
W3C publishes a Candidate Recommendation to indicate that the document is believed to be
stable and to encourage implementation by the developer community. This Candidate
Recommendation is expected to advance to Proposed Recommendation no earlier than
03 April 2018.
Publication as a Candidate Recommendation does not imply endorsement by the W3C
Membership. This is a draft document and may be updated, replaced or obsoleted by other
documents at any time. It is inappropriate to cite this document as other than work in
progress.
This document was produced by
a group
operating under the
W3C Patent Policy.
W3C maintains a public list of any patent
disclosures
made in connection with the deliverables of
the group; that page also includes
instructions for disclosing a patent. An individual who has actual knowledge of a patent
which the individual believes contains
Essential
Claim(s) must disclose the information in accordance with
section
6 of the W3C Patent Policy.
The ECMAScript Language specification [ECMA-262] defines the Date
object as a time value representing time in milliseconds since 01 January,
1970 UTC. For most purposes, this definition of time is sufficient as these
values represent time to millisecond precision for any instant that is
within approximately 285,616 years from 01 January, 1970 UTC. The
DOMTimeStamp is defined similarly [WEBIDL].
In practice, these definitions of time are subject to both clock skew
and adjustment of the system clock. The value of time may not always be
monotonically increasing and subsequent values may either decrease or
remain the same.
For example, the following script may record a positive number, negative
number, or zero for computed duration:
Example 1
var mark_start = Date.now();
doTask(); // Some taskvar duration = Date.now() - mark_start;
For certain tasks this definition of time may not be sufficient as it
does not allow for sub-millisecond resolution and is subject to system
clock skew. For example,
When attempting to accurately measure the elapsed time of navigating
to a Document, fetching of resources or execution of script, a
monotonically increasing clock with sub-millisecond resolution is
desired.
When calculating the animation state from script, developers will
need to accurately know the amount of time that has elapsed in the
animation in order to properly update the next scene of the
animation.
When calculating the frame rate of a script based animation,
developers will need sub-millisecond resolution in order to determine if
an animation is drawing at 60 FPS. Without sub-millisecond resolution, a
developer can only determine if an animation is drawing at 58.8 FPS or
62.5 FPS.
When attempting to cue audio to a specific point in an animation or
ensure that the audio is synchronized with the animation, developers will
need to accurately know the amount of time elapsed in the animation and
audio.
When multiple contexts need to synchronize work with sub-millisecond
resolution (e.g. when using dedicated or
shared workers to drive animation, audio, etc., in a
renderer context), or to create a unified view of the event
timeline.
This specification does not propose changing the behavior of
Date.now() [ECMA-262] as it is genuinely useful in
determining the current value of the calendar time and has a long history
of usage. The DOMHighResTimeStamp type, performance.now
method, and performance.timeOrigin attributes of the
Performance interface resolve above issues by providing
monotonically increasing time values with sub-millisecond resolution.
1.1 Examples
This section is non-normative.
A developer may wish to construct a timeline of their entire
application, including events from dedicated or
shared workers, which have different time
origin's. To display such events on the same timeline, the
application can translate the DOMHighResTimeStamp's with the help
of the performance.timeOrigin attribute.
Example 2
// ---- worker.js -----------------------------// Shared worker script
onconnect = function(e) {
var port = e.ports[0];
port.onmessage = function(e) {
// Time execution in workervar task_start = performance.now();
result = runSomeWorkerTask();
var task_end = performance.now();
}
// Send results and epoch-relative timestamps to another context
port.postMessage({
'task': 'Some worker task',
'start_time': task_start + performance.timeOrigin,
'end_time': task_end + performance.timeOrigin,
'result': result
});
}
// ---- application.js ------------------------// Timing tasks in the documentvar task_start = performance.now();
runSomeApplicationTask();
var task_end = performance.now();
// developer provided method to upload runtime performance data
reportEventToAnalytics({
'task': 'Some document task',
'start_time': task_start,
'duration': task_end - task_start
});
// Translating worker timestamps into document's time originvar worker = new SharedWorker('worker.js');
worker.port.onmessage = function (event) {
var msg = event.data;
// translate epoch-relative timestamps into document's time origin
msg.start_time = msg.start_time - performance.timeOrigin;
msg.end_time = msg.end_time - performance.timeOrigin;
reportEventToAnalytics(msg);
}
2. Conformance
As well as sections marked as non-normative, all authoring guidelines, diagrams, examples,
and notes in this specification are non-normative. Everything else in this specification is
normative.
The key words MUST and SHOULD are
to be interpreted as described in [RFC2119].
Some conformance requirements are phrased as requirements on attributes,
methods or objects. Such requirements are to be interpreted as requirements
on user agents.
3. Time Origin
The time origin is the time value from which
time is measured:
otherwise, the time of the user confirming the navigation during the previous
document's
prompt to unload algorithm, if a previous document exists and if the
confirmation dialog was displayed;
The time origin timestamp and the value returned by
Date.now() executed at "zero time" can differ because the former is
recorded with respect to a global monotonic clock that is not subject to
system and user clock adjustments, clock skew, and so on—see 7.Monotonic Clock.
The current high resolution time is the high resolution time
from the time origin to the present time (typically called "now").
A DOMHighResTimeStampSHOULD represent a time in milliseconds
accurate enough to allow measurement while preventing timing attack
- see 8.1Clock resolution for additional considerations.
Note
If the User Agent is unable to provide a time value
accurate to 5 microseconds due to hardware or software constraints, the
User Agent can represent a DOMHighResTimeStamp as a time in
milliseconds accurate to a millisecond.
The
time values returned when calling the performance.now() method
on Performance objects with the same time originMUST use the
same monotonic clock that is monotonically increasing and not
subject to system clock adjustments or system clock skew. The difference
between any two chronologically recorded time values returned from the
performance.now() method MUST never be negative if the two time values
have the same time origin.
The time values returned when getting performance.timeOriginMUST
use the same global monotonic clock that is shared by time
origin's, is monotonically increasing and not subject to system clock
adjustments or system clock skew, and whose reference point is the Unix
time—see 8.Privacy and Security.
Note
The user agent can reset its global monotonic clock across
browser restarts, or whenever starting an isolated browsing session—e.g.
incognito or similar browsing mode. As a result, developers should not use
global timestamps as absolute time that holds its monotonic properties
across all past, present, and future contexts; in practice, the monotonic
properties only apply for contexts that can reach other by exchanging
messages via one of the provided messaging mechanisms - e.g. postMessage,
BroadcastChannel, etc.
8. Privacy and Security
8.1 Clock resolution
Access to accurate timing information, both for measurement and
scheduling purposes, is a common requirement for many applications. For
example, coordinating animations, sound, and other activity on the page
requires access to high-resolution time to provide a good user
experience. Similarly, measurement enables developers to track the
performance of critical code components, detect regressions, and so
on.
However, access to the same accurate timing information can sometimes
be also used for malicious purposes by an attacker to guess and infer
data that they can't see or access otherwise. For example, cache attacks
and statistical fingerprinting is a privacy and security concern where a
malicious web site may use high resolution timing data of various browser
or application-initiated operations to differentiate between subset of
users, and in some cases identify a particular user - see
[CACHE-ATTACKS].
This specification defines an API that provides sub-millisecond time
resolution, which is more accurate than the previously available
millisecond resolution exposed by DOMTimeStamp. However, even without
this new API an attacker may be able to obtain high-resolution estimates
through repeat execution and statistical analysis. To ensure that the new
API does not significantly improve the accuracy or speed of such attacks,
the recommended minimum resolution of the DOMHighResTimeStamp type
should be inaccurate enough to prevent attacks.
Issue 56: Reducing the precision of the DOMHighResTimeStamp resolution
Due to recent developments this may need to increase significantly, but the working group has not yet reached consensus on what the new recommend minimum value should be.
Mitigating such timing side-channel attacks entirely is practically
not possible: either all operations would have to execute in a time that
does not vary based on the value of any confidential information, or, the
application would need to be isolated from any time-related primitives
(clock, timers, counters, etc). Neither is practical due to the
associated complexity for the browser and application developers and the
associated negative effects on performance and responsiveness of
applications.
8.2 Clock drift
This specification also defines an API that provides sub-millisecond
time resolution of the zero time of the time origin, which requires and
exposes a global monotonic clock to the application, and that must
be shared across all the browser contexts. The global monotonic
clock does not need to be tied to physical time, but is recommended
to be set with respect to the Unix time to avoid exposing new
fingerprint entropy about the user—e.g. this time can already be easily
obtained by the application, whereas exposing a new logical clock
provides new information.
However, even with above mechanism in place, the global monotonic
clock may provide additional clock drift resolution. Today, the
application can timestamp the time-of-day and monotonic time values (via
Date.now() and performance.now()) at multiple points within the same
context and observe drift between them—e.g. due to automatic or user
clock adjustments. With the performance.timeOrigin attribute, the
attacker can also compare the time at which time origin is zero,
as reported by the global monotonic clock, against the current
time-of-day estimate of when it is zero (i.e. difference between
Date.now()-performance.now() and performance.timeOrigin) and
potentially observe clock drift between these clocks over a longer time
period.
In practice, the same time drift can be observed by an application
across multiple navigations: the application can record logical time in
each context and use a client or server time synchronization mechanism to
infer changes in the user's clock. Similarly, lower-layer mechanisms such
as TCP timestamps may reveal same high-resolution information to the
server without the need for multiple visits. As such, the information
provided by this API should not expose any significant or previously not
available entropy about the user.
A. Acknowledgments
Thanks to
Arvind Jain,
Angelos D. Keromytis,
Boris Zbarsky,
Jason Weber,
Karen Anderson,
Nat Duca,
Philippe Le Hegaret,
Ryosuke Niwa,
Simha Sethumadhavan,
Todd Reifsteck,
Tony Gentilcore,
Vasileios P. Kemerlis,
Yoav Weiss, and
Yossef Oren
for their contributions to this work.