This specification defines an API that provides the time origin, and current time in sub-millisecond resolution, such that it is not subject to system clock skew or adjustments.

Introduction

The ECMAScript Language specification [[ECMA-262]] defines the Date object as a time value representing time in milliseconds since 01 January, 1970 UTC. For most purposes, this definition of time is sufficient as these values represent time to millisecond precision for any instant that is within approximately 285,616 years from 01 January, 1970 UTC.

In practice, these definitions of time are subject to both clock skew and adjustment of the system clock. The value of time may not always be monotonically increasing and subsequent values may either decrease or remain the same.

For example, the following script may record a positive number, negative number, or zero for computed duration:

      var mark_start = Date.now();
      doTask(); // Some task
      var duration = Date.now() - mark_start;
    

For certain tasks this definition of time may not be sufficient as it:

This specification does not propose changing the behavior of Date.now() [[ECMA-262]] as it is genuinely useful in determining the current value of the calendar time and has a long history of usage. The {{DOMHighResTimeStamp}} type, {{Performance}}.{{Performance/now()}} method, and {{Performance}}.{{Performance/timeOrigin}} attributes of the {{Performance}} interface resolve the above issues by providing monotonically increasing time values with sub-millisecond resolution.

Providing sub-millisecond resolution is not a mandatory part of this specification. Implementations may choose to limit the timer resolution they expose for privacy and security reasons, and not expose sub-millisecond timers. Use-cases that rely on sub-millisecond resolution may not be satisfied when that happens.

Use-cases

This specification defines a few different capabilities: it provides timestamps based on a stable, monotonic clock, comparable across contexts, with potential sub-millisecond resolution.

The need for a stable monotonic clock when talking about performance measurements stems from the fact that unrelated clock skew can distort measurements and render them useless. For example, when attempting to accurately measure the elapsed time of navigating to a Document, fetching of resources or execution of script, a monotonically increasing clock with sub-millisecond resolution is desired.

Comparing timestamps between contexts is essential e.g. when synchronizing work between a {{Worker}} and the main thread or when instrumenting such work in order to create a unified view of the event timeline.

Finally, the need for sub-millisecond timers revolves around the following use-cases:

Examples

A developer may wish to construct a timeline of their entire application, including events from {{Worker}} or {{SharedWorker}}, which have different time origins. To display such events on the same timeline, the application can translate the {{DOMHighResTimeStamp}}s with the help of the {{Performance}}.{{Performance/timeOrigin}} attribute.

        // ---- worker.js -----------------------------
        // Shared worker script
        onconnect = function(e) {
          var port = e.ports[0];
          port.onmessage = function(e) {
            // Time execution in worker
            var task_start = performance.now();
            result = runSomeWorkerTask();
            var task_end = performance.now();
          }

          // Send results and epoch-relative timestamps to another context
          port.postMessage({
            'task': 'Some worker task',
            'start_time': task_start + performance.timeOrigin,
            'end_time': task_end + performance.timeOrigin,
            'result': result
          });
        }

        // ---- application.js ------------------------
        // Timing tasks in the document
        var task_start = performance.now();
        runSomeApplicationTask();
        var task_end = performance.now();

        // developer provided method to upload runtime performance data
        reportEventToAnalytics({
          'task': 'Some document task',
          'start_time': task_start,
          'duration': task_end - task_start
        });

        // Translating worker timestamps into document's time origin
        var worker = new SharedWorker('worker.js');
        worker.port.onmessage = function (event) {
          var msg = event.data;

          // translate epoch-relative timestamps into document's time origin
          msg.start_time = msg.start_time - performance.timeOrigin;
          msg.end_time = msg.end_time - performance.timeOrigin;

          reportEventToAnalytics(msg);
        }
      

Time Origin

The time origin is the time value from which time is measured:

To get time origin timestamp, given a [=/global object=] |global|, runs the following steps:

  1. Let timeOrigin be |global|'s [=relevant settings object=]'s [=environment settings object/time origin=].

    In {{Window}} contexts, this value represents the time when [=navigate|navigation has started=]. In {{Worker}} and {{ServiceWorker}} contents, this value represent the time when the [=run a worker|worker is run=]. [[service-workers]]

  2. Let t1 be the {{DOMHighResTimeStamp}} representing the high resolution time at which the shared monotonic clock is zero.
  3. Let t2 be the {{DOMHighResTimeStamp}} representing the high resolution time value of the shared monotonic clock at timeOrigin.
  4. Let |total| be the sum of t1 and t2.
  5. Return the result of calling [=coarsen time=] with |total| and |global|'s [=relevant settings object=]'s [=environment settings object/cross-origin isolated capability=].

The value returned by [=get time origin timestamp=] is the high resolution time value at which time origin is zero. It may differ from the value returned by Date.now() executed at "zero time", because the former is recorded with respect to a shared monotonic clock that is not subject to system and user clock adjustments, clock skew, and so on — see .

The coarsen time algorithm, given a {{DOMHighResTimeStamp}} |timestamp| and an optional boolean |crossOriginIsolatedCapability| (default false), runs the following steps:
  1. Let |time resolution| be 100 microseconds, or a higher implementation-defined value.
  2. If |crossOriginIsolatedCapability| is true, set |time resolution| to be 5 microseconds, or a higher implementation-defined value.
  3. In an implementation-defined manner, coarsen and potentially jitter |timestamp| such that its resolution will not exceed |time resolution|.
  4. Return |timestamp|.
The relative high resolution time given a {{DOMHighResTimeStamp}} |time| and a [=Realm/global object=] |global|, is the result of the following steps:
  1. Let |coarse time| be the result of calling [=coarsen time=] with |time| and |global|'s [=relevant settings object=]'s [=environment settings object/cross-origin isolated capability=].
  2. Return the [=relative high resolution coarse time=] for |coarse time| and |global|.
The relative high resolution coarse time given a {{DOMHighResTimeStamp}} |coarseTime| and a [=Realm/global object=] |global|, is the difference between |coarseTime| and the result of calling [=get time origin timestamp=] with |global|.

The current high resolution time given a [=/global object=] |current global| must return the result of [=relative high resolution time=] given [=unsafe shared current time=] and |current global|.

The coarsened shared current time given an optional boolean |crossOriginIsolatedCapability| (default false), must return the result of calling [=coarsen time=] with the [=unsafe shared current time=] and |crossOriginIsolatedCapability|.

The unsafe shared current time must return the current value of the shared monotonic clock.

To get an epoch-relative timestamp, optionally with a date-time |time|:

  1. If |time| was not passed, set |time| to the current time.
  2. Assert: |time| is greater than or equal to 1 January 1970 00:00:00 UTC.
  3. Return the number of milliseconds from 1 January 1970 00:00:00 UTC to |time|: where each day is comprised of 86,400 seconds, each of which is 1000 milliseconds long (i.e., don't account for leap seconds).

The DOMHighResTimeStamp typedef

The {{DOMHighResTimeStamp}} type is used to store a time value in milliseconds, measured relative from the time origin, shared monotonic clock, or a time value that represents a duration between two {{DOMHighResTimeStamp}}s.

      typedef double DOMHighResTimeStamp;
    

A {{DOMHighResTimeStamp}} SHOULD represent a time in milliseconds accurate enough to allow measurement while preventing timing attacks - see for additional considerations.

The EpochTimeStamp typedef

        typedef unsigned long long EpochTimeStamp;
      

A {{EpochTimeStamp}} represents the number of milliseconds from a given time to 01 January, 1970 00:00:00 UTC, excluding leap seconds. Specifications that use this type define how the number of milliseconds are interpreted. An {{EpochTimeStamp}} is initialized by calling [=epoch-relative timestamp=] with no arguments, which defaults to the current time. Specifications that require a different relative time can call [=epoch-relative timestamp=] with a date-time as an argument, if needed.

The Performance interface

      [Exposed=*]
      interface Performance : EventTarget {
          DOMHighResTimeStamp now();
          readonly attribute DOMHighResTimeStamp timeOrigin;
          [Default] object toJSON();
      };
    

`now()` method

The now() method MUST return the current high resolution time.

`timeOrigin` attribute

The timeOrigin attribute MUST return the value returned by [=get time origin timestamp=] for the relevant global object of [=this=].

`toJSON()` method

When toJSON() is called, run [[WEBIDL]]'s default toJSON steps.

Extensions to `WindowOrWorkerGlobalScope` mixin

The performance attribute

The performance attribute on the interface mixin {{WindowOrWorkerGlobalScope}} allows access to performance related attributes and methods from the [=Realm/global object=].

      partial interface mixin WindowOrWorkerGlobalScope {
        [Replaceable] readonly attribute Performance performance;
      };
  

Monotonic Clock

The time values returned when calling the {{Performance/now()}} method on {{Performance}} objects with the same time origin MUST use the same monotonic clock that is monotonically increasing and not subject to system clock adjustments or system clock skew. The difference between any two chronologically recorded time values returned from the {{Performance/now()}} method MUST never be negative if the two time values have the same time origin.

The time values returned when getting {{Performance}}.{{Performance/timeOrigin}} MUST use the same shared monotonic clock that is shared by time origins, is monotonically increasing and not subject to system clock adjustments or system clock skew, and whose reference point is the [[ECMA-262]] time definition - see [[[#sec-security]]].

The user agent can reset its shared monotonic clock across browser restarts, or whenever starting an isolated browsing session—e.g. incognito or similar browsing mode. As a result, developers should not use shared timestamps as absolute time that holds its monotonic properties across all past, present, and future contexts; in practice, the monotonic properties only apply for contexts that can reach each other by exchanging messages via one of the provided messaging mechanisms - e.g. `postMessage`, `BroadcastChannel`, etc.

In certain scenarios (e.g. when a tab is backgrounded), the user agent may choose to throttle timers and periodic callbacks run in that context or even freeze them entirely. Any such throttling should not affect the resolution or accuracy of the time returned by the monotonic clock.

Security Considerations

Clock resolution

Access to accurate timing information, both for measurement and scheduling purposes, is a common requirement for many applications. For example, coordinating animations, sound, and other activity on the page requires access to high-resolution time to provide a good user experience. Similarly, measurement enables developers to track the performance of critical code components, detect regressions, and so on.

However, access to the same accurate timing information can sometimes be also used for malicious purposes by an attacker to guess and infer data that they can't see or access otherwise. For example, cache attacks, statistical fingerprinting and micro-architectural attacks are a privacy and security concern where a malicious web site may use high resolution timing data of various browser or application-initiated operations to differentiate between subset of users, identify a particular user or reveal unrelated but same-process user data - see [[?CACHE-ATTACKS]] and [[SPECTRE]] for more background.

This specification defines an API that provides sub-millisecond time resolution, which is more accurate than the previously available millisecond resolution exposed by {{EpochTimeStamp}}. However, even without this new API an attacker may be able to obtain high-resolution estimates through repeat execution and statistical analysis.

To ensure that the new API does not significantly improve the accuracy or speed of such attacks, the minimum resolution of the {{DOMHighResTimeStamp}} type should be inaccurate enough to prevent attacks.

Where necessary, the user agent should set higher resolution values to |time resolution| in [=coarsen time=]'s processing model, to address privacy and security concerns due to architecture or software constraints, or other considerations.

In order to mitigate such attacks user agents may deploy any technique they deem necessary. Deployment of those techniques may vary based on the browser's architecture, the user's device, the content and its ability to maliciously read cross-origin data, or other practical considerations.

These techniques may include:

Mitigating such timing side-channel attacks entirely is practically impossible: either all operations would have to execute in a time that does not vary based on the value of any confidential information, or the application would need to be isolated from any time-related primitives (clock, timers, counters, etc). Neither is practical due to the associated complexity for the browser and application developers and the associated negative effects on performance and responsiveness of applications.

Clock resolution is an unsolved and evolving area of research, with no existing industry consensus or definitive set of recommendations that applies to all browsers. To track the discussion, refer to Issue 79.

Clock drift

This specification also defines an API that provides sub-millisecond time resolution of the zero time of the time origin, which requires and exposes a shared monotonic clock to the application, and that must be shared across all the browser contexts. The shared monotonic clock does not need to be tied to physical time, but is recommended to be set with respect to the [[ECMA-262]] definition of time to avoid exposing new fingerprint entropy about the user — e.g. this time can already be easily obtained by the application, whereas exposing a new logical clock provides new information.

However, even with the above mechanism in place, the shared monotonic clock may provide additional clock drift resolution. Today, the application can timestamp the time-of-day and monotonic time values (via Date.now() and {{Performance/now()}}) at multiple points within the same context and observe drift between them—e.g. due to automatic or user clock adjustments. With the {{Performance/timeOrigin}} attribute, the attacker can also compare the time at which time origin is zero, as reported by the shared monotonic clock, against the current time-of-day estimate of when it is zero (i.e. the difference between `Date.now() - performance.now()` and `performance.timeOrigin`) and potentially observe clock drift between these clocks over a longer time period.

In practice, the same time drift can be observed by an application across multiple navigations: the application can record the logical time in each context and use a client or server time synchronization mechanism to infer changes in the user's clock. Similarly, lower-layer mechanisms such as TCP timestamps may reveal the same high-resolution information to the server without the need for multiple visits. As such, the information provided by this API should not expose any significant or previously unavailable entropy about the user.

Privacy Considerations

The current definition of [=time origin=] for a {{Document}} exposes the total time of cross-origin redirects prior to the request arriving at the document's origin. This exposes cross-origin information, however it's not yet decided how to mitigate this without causing major breakages to performance metrics.

To track the discussion, refer to Navigation Timing Issue 160.

Some conformance requirements are phrased as requirements on attributes, methods or objects. Such requirements are to be interpreted as requirements on user agents.

Acknowledgments

Thanks to Arvind Jain, Angelos D. Keromytis, Boris Zbarsky, Jason Weber, Karen Anderson, Nat Duca, Philippe Le Hegaret, Ryosuke Niwa, Simha Sethumadhavan, Todd Reifsteck, Tony Gentilcore, Vasileios P. Kemerlis, Yoav Weiss, and Yossef Oren for their contributions to this work.