Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
nightpool 10 hours ago

> where you can't just download a leap-second file from someone else's site thanks to the SOP

WDYM by this? Why does the SOP prevent a website from hosting a leap seconds file? All they need to do is set Access-Control-Allow-Origin to allow websites to access it. Or provide it as a JS file—in which case no headers are necessary at all. All the SOP prevents is you hotlinking someone else's leap-seconds file and using their bandwidth without their opt-in.

> Meanwhile, browsers update on a cadence more than sufficient to keep an up-to-date copy

Is this true? I don't know any browser right now that ships with a copy of a leapseconds data file. Adding such a data file and keeping it up to date would probably be a pretty non-trivial task for new browser developers—just for something the browser will never end up using itself. It's not like the ICU/CLDR files where browsers are going to need them anyway for rendering their own user-interface components.

LegionMammal978 10 hours ago | parent [-]

> All they need to do is set Access-Control-Allow-Origin to allow websites to access it. All the SOP prevents is you hotlinking someone else's leap-seconds file and using their bandwidth without their opt-in.

They can, but the major providers (read: the ones I would trust to update it) don't. The IERS doesn't [0], the USNO doesn't [1], IANA doesn't [2], and NIST uses FTP [3]. Keep in mind that these files are constantly being downloaded by various clients for NTP and whatnot, it's not like these providers want to restrict public access, they just don't bother to set the header that would allow JS requests.

> Is this true? I don't know any browser right now that ships with a copy of a leapseconds data file.

From ECMA-262:

> It is required for time zone aware implementations (and recommended for all others) to use the time zone information of the IANA Time Zone Database https://www.iana.org/time-zones/.

Any browser that ships with a copy of tzdb, or knows where to find a copy from the OS, should have access to its leapseconds file. Unless you mean that all of them go solely through ICU and its data files? Which I suppose could be an obstacle unless ICU were to start exposing them.

[0] https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list

[1] https://maia.usno.navy.mil/ser7/tai-utc.dat

[2] https://data.iana.org/time-zones/tzdb/leap-seconds.list

[3] ftp://ftp.boulder.nist.gov/pub/time/leap-seconds.list

GeneralMaximus 11 minutes ago | parent [-]

Could you put some kind of CORS proxy in front of those URLs? (I know it sucks that you have to do this at all, but c'est la vie.)

You could even write a Cloudflare Worker or a Val on val.town to do that, and add a bit of caching on top so you don't hit your providers too often.