Does TOR leak time and time zone which can expose the approximate user location on earth?
I think some JavaScript codes in web pages, asks operating system time before submitting the web form.
Does TOR browser change or hide the system time in any way?
No, Tor does not leak your time zone.
Tor Browser uses UTC for its time. This hides the "system time" from any querying websites and stops any website that could read the time from determining your location based on your timezone.
However it is not able to protect users whose time is uniquely inaccurate. You should use some timesync mechanism to ensure that you keep your system time accurate with reference time, through NTP or similar mechanisms.
Disabling Javascript would stop all access to the ability of a website to query the system time.
From the Tor Browser Design Specification:
Timezone and Clock Offset
While the latency in Tor connections varies anywhere from milliseconds to a few seconds, it is still possible for the remote site to detect large differences between the user's clock and an official reference time source.
Design Goal: All Tor Browser users MUST report the same timezone to websites. Currently, we choose UTC for this purpose, although an equally valid argument could be made for EDT/EST due to the large English-speaking population density (coupled with the fact that we spoof a US English user agent). Additionally, the Tor software should detect if the users clock is significantly divergent from the clocks of the relays that it connects to, and use this to reset the clock values used in Tor Browser to something reasonably accurate. Alternatively, the browser can obtain this clock skew via a mechanism similar to that used in tlsdate.
Implementation Status: We set the timezone using the TZ environment variable, which is supported on all platforms.
While Tor, the network protocol, is agnostic to the data sent over it Tor Browser takes steps to avoid being fingerprintable.
TOR client leaks your data when it sync's its clock to start. This is a very bad thing to do, its how your traced, its a trigger. Time sync should be Decoupled from Security.
Also dont ask for TOR bridges with Gmail or telegram, both data mined, might as well just email NSA direct.
NO, it does not do this. But scripts can't be filtered for a stuff like this - even in other browsers and/or NodeJS sandbox. What is available to script - can be used by it in any way, and there's nothing you can do about it: real-time code analysis is bloody expensive and fails sometimes on platforms with the runtime-modifiable code. If you don't trust a script on a specific page - disable scripts completely. In your particular case - form submission is a basic HTML function, so it won't be affected by disabling scripts.
