-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enumeration of time zones #435
Comments
It seems interesting to discuss. |
Agreed; this seems roughly related to Intl. We need to put the enumeration API somewhere (could be Intl, could be elsewhere), and then we need to add time zone names to Intl.DisplayNames. |
I think enumeration is a broader problem than just timezones. Some other things that you might want to enumerate:
I don't think we need to ship all these together, but it'd be nice to come up with an API pattern that would potentially capture all of them. That's why I was a bit skeptical of tying Timezone enumeration to Temporal: there's no clear way to extend this to regions, locales or currencies, but those seem quite important as pickers. Let's watch out for data size issues in Intl.DisplayNames with timezones, but it could definitely be useful if someone wants to make a timezone picker. |
My only concern is that Intl is optional and not available in all JS platforms (e.g. Moddable XS). If we identify use cases for some of these enumerations out of the Intl API, there is a chance we might want this enumeration elsewhere. Still, Intl might be a good place to provide this enumeration, and I wouldn't complain. This also doesn't seem to be a heavy weight addition. |
We have discussed removing enumeration of time zones from Temporal, and suggested to investigate it in ECMA-402 instead. It seems like an orthogonal problem to Temporal. See tc39/ecma402#435
I don't know whether this should be in Intl or not; my main concern is that we find an API design that will eventually work for all sorts of enumerations. The only use case I've heard about for enumeration of timezones was for a sort of timezone picker. The consensus among internationalization experts is that this only really makes sense if the timezones are localized (even if some application developers are OK with displaying IANA names, we don't want to encourage this). If there's a non-picker use case, then that might change the calculus. Overall, it's a bit hard for me to think about the space of environments where some parts of JS aren't present. I imagine some of them have other restrictions or allowances that aren't specifically sanctioned by the specification; we may or may not want to permit these in the standard. If we end up making major decisions on the basis of this kind of optionality/grouping, I wonder if we might weaken/unconstrain things to permit engines to let them support enumeration but not other parts. |
I can localize my own time zone names, i don’t need Intl to do it for me (and because Intl isn’t everywhere, i can’t rely on it anyways). All i need is the data, in 262. |
@ljharb Which data do you need, and why do you need it? |
The list of valid time zone identifiers. Otherwise, i have to maintain my own list, and laboriously validate each one at runtime. The goal is to know what timezones an engine supports, so i can, among many other things, set up backend validation, and notify myself when i need to support a new timezone. |
A list of things which directly pop into my head when thinking about time zones:
|
Perhaps an object, whose keys are the canonical names, and whose values are all the valid aliases. |
We have discussed removing enumeration of time zones from Temporal, and suggested to investigate it in ECMA-402 instead. It seems like an orthogonal problem to Temporal. See tc39/ecma402#435
@ljharb Because the list of timezones is so long, it's a common pattern in applications' timezone pickers to show a subset, so it's unclear to me what signal application developers should take based on just the existence of a timezone in a browser's tzdb. Does this need occur in the frontend, or is it more of a development-time need, or some other context? |
We have discussed removing enumeration of time zones from Temporal, and suggested to investigate it in ECMA-402 instead. It seems like an orthogonal problem to Temporal. See tc39/ecma402#435
The object form I suggested, run through Object.keys, seems like it'd be a subset? My use case is for both the frontend (rerendering in the client), and the backend that generates the initial HTML hydrated in the frontend. |
ICU's API provide 3 style of enumeration call that we can use to surface to JS
|
How about Intl.DateTimeFormat.getSupportedCalendars() and later we may let each of above take optional argument to restrict the return list |
These enumerations are not really specific to specific Intl formatters. If we were to add methods like this, I think it makes more sense to put them on the top Intl namespace: Intl.getSupportedCalendars() |
ok, I will start to champion an "Intl Enumeration API Specification" to address this. Start to draft it under https://github.com/FrankYFTang/proposal-intl-enumeration/blob/master/README.md now. |
Btw. This is a major fingerprinting increase as basically the API does nothing else but add identifiable bits. |
@zbraniecki seems more like it collects existing bits into a single list, as opposed to me having to maintain the list myself and laboriously feature-test against the runtime? iow, not a new capability, just happens to make it easier? |
I'm not a security/privacy expert, so please, take my read with a grain of salt, but my understanding is that the race for privacy vs fingerprinting is composed of two pieces:
Number (1) is important because all/any anti-fingerprinting attempts will have to mask all those APIs to return some jammed responses that are generic and unidentifiable Now, if I understand correctly, Intl API originally was designed to force the fingerprint script to cycle through API calls attempting to ask for various bits and checking the output in hope to collect a bit. That's time consuming and CPU costly. The "give me all available/supported X" type of API is making it trivial to ask for all fonts, all calendars, all languages, all numerical systems. The common driver for such requests are "pickers", and I recognize the value for a picker to know what's available. I'm not sure how to resolve that tradeoff and I would love to get some privacy/security experts involved in guidelines for API design to strike the right tradeoffs. Otherwise, non privacy experts will keep adding fingerprinting APIs as the API surface grows, and then privacy engineers will struggle to add "anti-fingerprinting" masking mode to each and every one of them. That seems suboptimal. |
Why don't the hacker just read the user agent string instead? That will cost less CPU power, right? How would this API provide more fingerprint information than the user agent string? |
Funny you should ask: https://www.zdnet.com/article/google-to-phase-out-user-agent-strings-in-chrome/ And anti-fingerprinting is always masking your UA string anyway.
UA string adds some bits of entropy, your screen dimensions, color depth, add more, your installed plugins, refresh rate (vsync) even more, and so on. You can see an example of such finderprinting on https://panopticlick.eff.org/ if you click "Test me" and then "Show full results for fingerprinting". As I said, I'm not an expert, I just know that I often end up reviewing patches for Gecko/SM that add the masking and I remember the reasoning behind "supportedLocalesOf" rather than "getSupportedLocales". |
We have discussed removing enumeration of time zones from Temporal, and suggested to investigate it in ECMA-402 instead. It seems like an orthogonal problem to Temporal. See tc39/ecma402#435
Seems to me you can determine whether any individual time zone is supported by just using it and seeing if it shows up as a resolved option. For purposes of revealing differentiations across UAs and across their successive versions, an enumeration API does not expose new information. It makes it easier to query in bulk, but if the differentiations pertain to specific time zone strings, an attempt to fingerprint could just check behavior of those specific time zone strings. Or is this a more theoretical concern, about user agents that the would-be fingerprinter hasn't taken the time to individually figure out the distinctions of? Because I guess an enumeration API does mean the fingerprinter doesn't have the ongoing maintenance burden of figuring out which time zones are differentiably supported by distinct UAs and UA versions -- it could just grab the whole list and generate a hash from it, for fingerprinting purposes. |
It seems to me like not exposing the list is just security by obscurity. |
Hi all. I hear your feedback. I understand that it's hard for me to explain the concerns around the privacy area, and since I'm not an expert in the area, I may not even be able to. I want to ensure you tho, that it is not "security by obscurity" - the idea is not just to hide the information or make it harder to retrieve in an attempt to discourage the fingerprinting. I reached out to several people working on the Tor browser at Mozilla and I'll try to get them to help us make decisions around this area. The topic is complex and several dynamics are intertwined, making it harder to design clear guidelines as multiple tradeoffs are in play. I'll try to get back to this thread within the next week or so with more feedback on how to design such APIs in a privacy-friendly manner. |
Wearing my hat as ECMA-402 chair: the contents of this post doesn't necesarilly reflect my personal opinion The consensus from the ECMA-402 meeting today is that we think this proposal has solid use cases, but acknowledge the potential fingerprint concerns. We plan to present it for Stage 1 at the upcoming TC39 meeting, and continue investigating the privacy and security implications before it reaches Stage 2. |
I spun off #442 for the generic conversation about the scope of ECMA402, which I believe is important for assessment of this API. I'd also like to say that I did not see the "solid use cases" list beyond "pickers" and did not receive an answer to my question about them. Putting privacy aside, and putting the generic "How far should ECMA402 go" aside as well, I'd like to better understand what makes this a "solid use case". But I struggle to evaluate whether the user case is solid. I don't know if this is applicable to today's velocity and dynamic behind ECMA402, but I don't think I've seen userland libraries around time zone names, numbering system names and calendar names. I also don't know if "pickers" is the right use case - should the "pickers" be hand-written, or part of HTML? What is the use of "pickers" outside of Web environment? (they don't help much Node.js, right?). Are there other uses than "pickers"? I understand the Stage 1 and I hope to see motivation for the API in the Stage 1 proposal that can be verified against the outcome of #442. |
@zbraniecki anything the browser needs, is helpful in node, because generating HTML on the server is a very important a11y/performance/robustness practice. |
I'm not sure if I understand. You can generate |
Sure - but assuming there's no native HTML control for a timezone picker, eg, you'd need every possible timezone to be present in the serverside HTML, generated in node. I agree that if a native form control existed, that was sufficiently styleable and hookable in the browser, then there'd likely be no need to expose the data as a list. |
(I didn't realize this discussion was happening here, and opened https://github.com/FrankYFTang/proposal-intl-enumeration/issues/1 about it) |
I see. Thank you for your patience! I think my question is then, should we evaluate the native form control path for pickers, rather than API scope extension as the more privacy friendly, easier to get internationalization right, and lower overhead for the user, approach first? |
My personal opinion on this feature request: We have heard from multiple Temporal stakeholders that exposing this API covers their use case of making a time zone picker. This information is already available via Intl APIs, but less efficiently. In Temporal, where time zones and calendars are first-class objects, one can also imagine use cases expanding beyond only pickers. If you are building a client-side app and want to let people select their time zone, calendar system, etc., right now you would hard-code an expected list, even if a browser engine is capable of doing more. I think it is better for the JavaScript engine to provide a list of what it can support than making the programmer start with their own list and essentially take the intersection of that list with the browser's list by feature-testing each entry. Although we should consider also supporting this in HTML, I still think this proposal has merits in JavaScript. The ecosystem is likely to never reach a point in which all web sites can use only the W3C pickers. Although I like using them in personal projects, I can't remember the last time I've visited a web site that has used a native HTML date picker in production, for example. I would hope that we can at least agree that JavaScript-based pickers are a legitimate use case. |
Also, if the effort of creating the list is acceptable for the majority of devs, the good users, why wouldn’t the minority that are malicious just do the same? Someone will probably make a library for it nigh in immediately anyways, so any effort barrier vanishes. |
The thing that has me confused about this thread is that the list of time zones is finite (if rather larger than the logical minimum and unstable to boot) and, ignoring Making a time zone picker is a little more complicated, since many time zones need to be "rolled up" into a representative zone and a bunch of zones are obsolete. Hence all the "metazone" gunk in ICU (or, in my case, a bunch of utility classes). @sffc I agree that this should be supported in HTML--in fact W3C I18N has asked for first-class time zone support in HTML going back a ways and I should probably follow up on that with WHATWG in the near future--but I also agree that JS APIs should provide access also. |
Good point about metazones and containment. I guess we should consider exposing that additional information in an enumeration API? A flat list of time zones will get a lot of obsolete junk. |
In the Temporal proposal we currently have an API for enumerating all named time zones known to the system. We are currently discussing removing this time zone enumeration API from the proposal as it's not clearly related to Temporal and seems like it is an orthogonal project.
It was originally added in response to this use case: the list of named time zones is useful for implementing a time zone picker in UI. (Although, to be useful for UI, there would also have to be a way to get human-friendly display names for time zones rather than IANA names; #31?)
ECMA-402 seems like a good place to investigate this.
The text was updated successfully, but these errors were encountered: