High Resolution Time

W3C Working Draft

More details about this document
This version:
https://www.w3.org/TR/2023/WD-hr-time-3-20230216/
Latest published version:
https://www.w3.org/TR/hr-time-3/
Latest editor's draft:
https://w3c.github.io/hr-time/
History:
https://www.w3.org/standards/history/hr-time-3
Commit history
Test suite:
https://wpt.live/hr-time/
Implementation report:
https://wpt.fyi/hr-time/
Editor:
Yoav Weiss (Google LLC)
Former editors:
(Google LLC) - Until
(Google LLC) - Until
(Microsoft Corp.) - Until
Feedback:
GitHub w3c/hr-time (pull requests, new issue, open issues)
Browser support:
caniuse.com

Abstract

This specification defines an API that provides the time origin, and current time in sub-millisecond resolution, such that it is not subject to system clock skew or adjustments.

Status of This Document

This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

This document was published by the Web Performance Working Group as a Working Draft using the Recommendation track.

Publication as a Working Draft does not imply endorsement by W3C and its Members.

This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 2 November 2021 W3C Process Document.

1. Introduction

This section is non-normative.

The ECMAScript Language specification [ECMA-262] defines the Date object as a time value representing time in milliseconds since 01 January, 1970 UTC. For most purposes, this definition of time is sufficient as these values represent time to millisecond precision for any moment that is within approximately 285,616 years from 01 January, 1970 UTC.

In practice, these definitions of time are subject to both clock skew and adjustment of the system clock. The value of time may not always be monotonically increasing and subsequent values may either decrease or remain the same.

For example, the following script may record a positive number, negative number, or zero for computed duration:

var mark_start = Date.now();
doTask(); // Some task
var duration = Date.now() - mark_start;

For certain tasks this definition of time may not be sufficient as it:

This specification does not propose changing the behavior of Date.now() [ECMA-262] as it is genuinely useful in determining the current value of the calendar time and has a long history of usage. The DOMHighResTimeStamp type, Performance.now() method, and Performance.timeOrigin attributes of the Performance interface resolve the above issues by providing monotonically increasing time values with sub-millisecond resolution.

Note

Providing sub-millisecond resolution is not a mandatory part of this specification. Implementations may choose to limit the timer resolution they expose for privacy and security reasons, and not expose sub-millisecond timers. Use-cases that rely on sub-millisecond resolution may not be satisfied when that happens.

1.1 Use-cases

This section is non-normative.

This specification defines a few different capabilities: it provides timestamps based on a stable, monotonic clock, comparable across contexts, with potential sub-millisecond resolution.

The need for a stable monotonic clock when talking about performance measurements stems from the fact that unrelated clock skew can distort measurements and render them useless. For example, when attempting to accurately measure the elapsed time of navigating to a Document, fetching of resources or execution of script, a monotonically increasing clock with sub-millisecond resolution is desired.

Comparing timestamps between contexts is essential e.g. when synchronizing work between a Worker and the main thread or when instrumenting such work in order to create a unified view of the event timeline.

Finally, the need for sub-millisecond timers revolves around the following use-cases:

1.2 Examples

This section is non-normative.

A developer may wish to construct a timeline of their entire application, including events from Worker or SharedWorker, which have different time origins. To display such events on the same timeline, the application can translate the DOMHighResTimeStamps with the help of the Performance.timeOrigin attribute.

// ---- worker.js -----------------------------
// Shared worker script
onconnect = function(e) {
  var port = e.ports[0];
  port.onmessage = function(e) {
    // Time execution in worker
    var task_start = performance.now();
    result = runSomeWorkerTask();
    var task_end = performance.now();
  }

  // Send results and epoch-relative timestamps to another context
  port.postMessage({
    'task': 'Some worker task',
    'start_time': task_start + performance.timeOrigin,
    'end_time': task_end + performance.timeOrigin,
    'result': result
  });
}

// ---- application.js ------------------------
// Timing tasks in the document
var task_start = performance.now();
runSomeApplicationTask();
var task_end = performance.now();

// developer provided method to upload runtime performance data
reportEventToAnalytics({
  'task': 'Some document task',
  'start_time': task_start,
  'duration': task_end - task_start
});

// Translating worker timestamps into document's time origin
var worker = new SharedWorker('worker.js');
worker.port.onmessage = function (event) {
  var msg = event.data;

  // translate epoch-relative timestamps into document's time origin
  msg.start_time = msg.start_time - performance.timeOrigin;
  msg.end_time = msg.end_time - performance.timeOrigin;

  reportEventToAnalytics(msg);
}

2. Time Concepts

2.1 Clocks

A clock tracks the passage of time and can report the unsafe current time that an algorithm step is executing. There are many kinds of clocks. All clocks on the web platform attempt to count 1 millisecond of clock time per 1 millisecond of real-world time, but they differ in how they handle cases where they can't be exactly correct.

2.2 Moments and Durations

Each clock's unsafe current time returns an unsafe moment. Coarsen time converts these unsafe moments to coarsened moments or just moments. Unsafe moments and moments from different clocks are not comparable.

Note

Moments and unsafe moments represent points in time, which means they can't be directly stored as numbers. Implementations will usually represent a moment as a duration from some other fixed point in time, but specifications ought to deal in the moments themselves.

A duration is the distance from one moment to another from the same clock. Neither endpoint can be an unsafe moment so that both durations and differences of durations mitigate the concerns in 9.1 Clock resolution. Durations are measured in milliseconds, seconds, etc. Since all clocks attempt to count at the same rate, durations don't have an associated clock, and a duration calculated from two moments on one clock can be added to a moment from a second clock, to produce another moment on that second clock.

The duration from a to b is the result of the following algorithm:

  1. Assert: a was created by the same clock as b.
  2. Assert: Both a and b are coarsened moments.
  3. Return the amount of time from a to b as a duration. If b came before a, this will be a negative duration.

Durations can be used implicitly as DOMHighResTimeStamps. To implicitly convert a duration to a timestamp, given a duration d, return the number of milliseconds in d.

3. Tools for Specification Authors

For measuring time within a single page (within the context of a single environment settings object), use the settingsObject's current relative timestamp, defined as the duration from settingsObject's time origin to the settingsObject's current monotonic time. This value can be exposed directly to JavaScript using the duration's implicit conversion to DOMHighResTimeStamp.

For measuring time within a single UA execution when an environment settings object's time origin isn't an appropriate base for comparison, create moments using an environment settings object's current monotonic time. An environment settings object settingsObject's current monotonic time is the result of the following steps:

  1. Let unsafeMonotonicTime be the monotonic clock's unsafe current time.
  2. Return the result of calling coarsen time with unsafeMonotonicTime and settingsObject's cross-origin isolated capability.

Moments from the monotonic clock can't be directly represented in JavaScript or HTTP. Instead, expose a duration between two such moments.

For measuring time across multiple UA executions, create moments using an environment settings object's current wall time. An environment settings object settingsObject's current wall time is the result of the following steps:

  1. Let unsafeWallTime be the wall clock's unsafe current time.
  2. Return the result of calling coarsen time with unsafeWallTime and settingsObject's cross-origin isolated capability.

When using moments from the wall clock, be sure that your design accounts for situations when the user adjusts their clock either forward or backward.

Moments from the wall clock can be represented in JavaScript by passing the number of milliseconds from the Unix epoch to that moment into the Date constructor, or by passing the number of nanoseconds from the Unix epoch to that moment into the Temporal.Instant constructor.

Avoid sending similar representations between computers, as doing so will expose the user's clock skew, which is a tracking vector. Instead, use an approach similar to monotonic clock moments of sending a duration between two moments.

3.1 Examples

The time a DOM event happens can be reported using:

  1. Initialize event's timeStamp attribute to this's relevant settings object's current relative timestamp.

The age of an error report can be computed using:

  1. Initialize report's generation time to settings' current monotonic time.

Later:

  1. Let data be a map with the following key/value pairs:
    age
    The number of milliseconds between report's generation time and context's relevant settings object's current monotonic time, rounded to the nearest integer.
    ...

Multi-day attribution report expirations can be handled as:

  1. Let source be a new attribution source struct whose items are:
    ...
    source time
    context's current wall time
    expiry
    parse a duration string from value["expiry"]

Days later:

  1. If context's current wall time is less than source's source time + source's expiry, send a report.

4. Time Origin

The Unix epoch is the moment on the wall clock corresponding to 1 January 1970 00:00:00 UTC.

Each group of environment settings objects that could possibly communicate in any way has an estimated monotonic time of the Unix epoch, a moment on the monotonic clock, whose value is initialized by the following steps:

  1. Let wall time be the wall clock's unsafe current time.
  2. Let monotonic time be the monotonic clock's unsafe current time.
  3. Let epoch time be monotonic time - (wall time - Unix epoch)
  4. Initialize the estimated monotonic time of the Unix epoch to the result of calling coarsen time with epoch time.
Issue 1
The above set of settings-objects-that-could-possibly-communicate needs to be specified better. It's similar to familiar with but includes Workers.

Performance measurements report a duration from a moment early in the initialization of a relevant environment settings object. That moment is stored in that settings object's time origin.

To get time origin timestamp, given a global object global, run the following steps, which return a duration:

  1. Let timeOrigin be global's relevant settings object's time origin.

    Note

    In Window contexts, this value represents the time when navigation has started. In Worker and ServiceWorker contents, this value represent the time when the worker is run. [service-workers]

  2. Return the duration from the estimated monotonic time of the Unix epoch to timeOrigin.
Note

The value returned by get time origin timestamp is approximately the time after the Unix epoch that global's time origin happened. It may differ from the value returned by Date.now() executed at the time origin, because the former is recorded with respect to a monotonic clock that is not subject to system and user clock adjustments, clock skew, and so on.

The coarsen time algorithm, given an unsafe moment timestamp on some clock and an optional boolean crossOriginIsolatedCapability (default false), runs the following steps:
  1. Let time resolution be 100 microseconds, or a higher implementation-defined value.
  2. If crossOriginIsolatedCapability is true, set time resolution to be 5 microseconds, or a higher implementation-defined value.
  3. In an implementation-defined manner, coarsen and potentially jitter timestamp such that its resolution will not exceed time resolution.
  4. Return timestamp as a moment.
The relative high resolution time given an unsafe moment from the monotonic clock time and a global object global, is the duration returned from the following steps:
  1. Let coarse time be the result of calling coarsen time with time and global's relevant settings object's cross-origin isolated capability.
  2. Return the relative high resolution coarse time for coarse time and global.
The relative high resolution coarse time given a moment from the monotonic clock coarseTime and a global object global, is the duration from global's relevant settings object's time origin to coarseTime.

The current high resolution time given a global object current global must return the result of relative high resolution time given unsafe shared current time and current global.

The coarsened shared current time given an optional boolean crossOriginIsolatedCapability (default false), must return the result of calling coarsen time with the unsafe shared current time and crossOriginIsolatedCapability.

The unsafe shared current time must return the unsafe current time of the monotonic clock.

To get an epoch-relative timestamp, optionally with a moment on the wall clock time:

  1. If time was not passed, set time to the wall clock's unsafe current time.
  2. Assert: time is greater than or equal to 1 January 1970 00:00:00 UTC.
  3. Return the number of milliseconds from the Unix epoch to time: where each day is comprised of 86,400 seconds, each of which is 1000 milliseconds long (i.e., don't account for leap seconds).
Note

A DOMHighResTimeStamp is a double. Therefore, using it to represent an epoch-relative timestamp, e.g. for the purpose of comparing it with Date.now(), might lose sub-millisecond precision.

5. The DOMHighResTimeStamp typedef

The DOMHighResTimeStamp type is used to store a duration in milliseconds. Depending on its context, it may represent the moment that is this duration after a base moment like a time origin or the Unix epoch.

WebIDLtypedef double DOMHighResTimeStamp;

A DOMHighResTimeStamp SHOULD represent a time in milliseconds accurate enough to allow measurement while preventing timing attacks - see 9.1 Clock resolution for additional considerations.

6. The EpochTimeStamp typedef

WebIDLtypedef unsigned long long EpochTimeStamp;
Note: Legacy platform feature

A EpochTimeStamp represents the number of milliseconds from a given time to 01 January, 1970 00:00:00 UTC, excluding leap seconds. Specifications that use this type define how the number of milliseconds are interpreted. An EpochTimeStamp is initialized by calling epoch-relative timestamp with no arguments, which defaults to the current time. Specifications that require a different relative time can call epoch-relative timestamp with a moment from the wall clock as an argument, if needed.

7. The Performance interface

WebIDL[Exposed=(Window,Worker)]
interface Performance : EventTarget {
    DOMHighResTimeStamp now();
    readonly attribute DOMHighResTimeStamp timeOrigin;
    [Default] object toJSON();
};

7.1 now() method

The now() method MUST return the number of milliseconds in the current high resolution time (a duration).

The time values returned when calling the now() method on Performance objects with the same time origin MUST use the same monotonic clock. The difference between any two chronologically recorded time values returned from the now() method MUST never be negative if the two time values have the same time origin.

7.2 timeOrigin attribute

The timeOrigin attribute MUST return the number of milliseconds in the duration returned by get time origin timestamp for the relevant global object of this.

The time values returned when getting Performance.timeOrigin MUST use the same monotonic clock that is shared by time origins, and whose reference point is the [ECMA-262] time definition - see 9. Security Considerations.

7.3 toJSON() method

When toJSON() is called, run [WEBIDL]'s default toJSON steps.

8. Extensions to WindowOrWorkerGlobalScope mixin

8.1 The performance attribute

The performance attribute on the interface mixin WindowOrWorkerGlobalScope allows access to performance related attributes and methods from the global object.

WebIDLpartial interface mixin WindowOrWorkerGlobalScope {
  [Replaceable] readonly attribute Performance performance;
};

9. Security Considerations

9.1 Clock resolution

Access to accurate timing information, both for measurement and scheduling purposes, is a common requirement for many applications. For example, coordinating animations, sound, and other activity on the page requires access to high-resolution time to provide a good user experience. Similarly, measurement enables developers to track the performance of critical code components, detect regressions, and so on.

However, access to the same accurate timing information can sometimes be also used for malicious purposes by an attacker to guess and infer data that they can't see or access otherwise. For example, cache attacks, statistical fingerprinting and micro-architectural attacks are a privacy and security concern where a malicious web site may use high resolution timing data of various browser or application-initiated operations to differentiate between subset of users, identify a particular user or reveal unrelated but same-process user data - see [CACHE-ATTACKS] and [SPECTRE] for more background.

This specification defines an API that provides sub-millisecond time resolution, which is more accurate than the previously available millisecond resolution exposed by EpochTimeStamp. However, even without this new API an attacker may be able to obtain high-resolution estimates through repeat execution and statistical analysis.

To ensure that the new API does not significantly improve the accuracy or speed of such attacks, the minimum resolution of the DOMHighResTimeStamp type should be inaccurate enough to prevent attacks.

Where necessary, the user agent should set higher resolution values to time resolution in coarsen time's processing model, to address privacy and security concerns due to architecture or software constraints, or other considerations.

In order to mitigate such attacks user agents may deploy any technique they deem necessary. Deployment of those techniques may vary based on the browser's architecture, the user's device, the content and its ability to maliciously read cross-origin data, or other practical considerations.

These techniques may include:

Mitigating such timing side-channel attacks entirely is practically impossible: either all operations would have to execute in a time that does not vary based on the value of any confidential information, or the application would need to be isolated from any time-related primitives (clock, timers, counters, etc). Neither is practical due to the associated complexity for the browser and application developers and the associated negative effects on performance and responsiveness of applications.

Note
Clock resolution is an unsolved and evolving area of research, with no existing industry consensus or definitive set of recommendations that applies to all browsers. To track the discussion, refer to Issue 79.

9.2 Clock drift

This specification also defines an API that provides sub-millisecond time resolution of the zero time of the time origin, which requires and exposes a monotonic clock to the application, and that must be shared across all the browser contexts. The monotonic clock does not need to be tied to physical time, but is recommended to be set with respect to the [ECMA-262] definition of time to avoid exposing new fingerprint entropy about the user — e.g. this time can already be easily obtained by the application, whereas exposing a new logical clock provides new information.

However, even with the above mechanism in place, the monotonic clock may provide additional clock drift resolution. Today, the application can timestamp the time-of-day and monotonic time values (via Date.now() and now()) at multiple points within the same context and observe drift between them—e.g. due to automatic or user clock adjustments. With the timeOrigin attribute, the attacker can also compare the time origin, as reported by the monotonic clock, against the current time-of-day estimate of the time origin (i.e. the difference between performance.timeOrigin and Date.now() - performance.now()) and potentially observe clock drift between these clocks over a longer time period.

In practice, the same time drift can be observed by an application across multiple navigations: the application can record the logical time in each context and use a client or server time synchronization mechanism to infer changes in the user's clock. Similarly, lower-layer mechanisms such as TCP timestamps may reveal the same high-resolution information to the server without the need for multiple visits. As such, the information provided by this API should not expose any significant or previously unavailable entropy about the user.

10. Privacy Considerations

The current definition of time origin for a Document exposes the total time of cross-origin redirects prior to the request arriving at the document's origin. This exposes cross-origin information, however it's not yet decided how to mitigate this without causing major breakages to performance metrics.

To track the discussion, refer to Navigation Timing Issue 160.

11. Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MUST and SHOULD in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Some conformance requirements are phrased as requirements on attributes, methods or objects. Such requirements are to be interpreted as requirements on user agents.

12. IDL Index

WebIDLtypedef double DOMHighResTimeStamp;

typedef unsigned long long EpochTimeStamp;

[Exposed=(Window,Worker)]
interface Performance : EventTarget {
    DOMHighResTimeStamp now();
    readonly attribute DOMHighResTimeStamp timeOrigin;
    [Default] object toJSON();
};

partial interface mixin WindowOrWorkerGlobalScope {
  [Replaceable] readonly attribute Performance performance;
};

A. Acknowledgments

Thanks to Arvind Jain, Angelos D. Keromytis, Boris Zbarsky, Jason Weber, Karen Anderson, Nat Duca, Philippe Le Hegaret, Ryosuke Niwa, Simha Sethumadhavan, Todd Reifsteck, Tony Gentilcore, Vasileios P. Kemerlis, Yoav Weiss, and Yossef Oren for their contributions to this work.

B. References

B.1 Normative references

[dom]
DOM Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://dom.spec.whatwg.org/
[ECMA-262]
ECMAScript Language Specification. Ecma International. URL: https://tc39.es/ecma262/multipage/
[html]
HTML Standard. Anne van Kesteren; Domenic Denicola; Ian Hickson; Philip Jägenstedt; Simon Pieters. WHATWG. Living Standard. URL: https://html.spec.whatwg.org/multipage/
[infra]
Infra Standard. Anne van Kesteren; Domenic Denicola. WHATWG. Living Standard. URL: https://infra.spec.whatwg.org/
[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC8174]
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
[SPECTRE]
Spectre Attacks: Exploiting Speculative Execution. Paul Kocher; Jann Horn; Anders Fogh; Daniel Genkin; Daniel Gruss; Werner Haas; Mike Hamburg; Moritz Lipp; Stefan Mangard; Thomas Prescher; Michael Schwarz; Yuval Yarom. January 2018. URL: https://spectreattack.com/spectre.pdf
[Temporal]
Temporal. ECMA TC39. Stage 3 Proposal. URL: https://tc39.es/proposal-temporal/
[WEBIDL]
Web IDL Standard. Edgar Chen; Timothy Gu. WHATWG. Living Standard. URL: https://webidl.spec.whatwg.org/

B.2 Informative references

[CACHE-ATTACKS]
The Spy in the Sandbox - Practical Cache Attacks in Javascript. Yossef Oren; Vasileios P. Kemerlis; Simha Sethumadhavan; Angelos D. Keromytis. 1 March 2015. URL: https://arxiv.org/abs/1502.07373
[reporting]
Reporting API. Douglas Creager; Ian Clelland; Mike West. W3C. 17 September 2022. W3C Working Draft. URL: https://www.w3.org/TR/reporting-1/
[service-workers]
Service Workers. Jake Archibald; Marijn Kruisselbrink. W3C. 12 July 2022. W3C Candidate Recommendation. URL: https://www.w3.org/TR/service-workers/