docs: update CHANGELOG

Signed-off-by: Xe Iaso <me@xeiaso.net>

data/botPolicies.yaml

@@ -107,7 +107,6 @@ bots:
         - '"Sec-Fetch-Dest" in headers'
         - '"Sec-Fetch-Mode" in headers'
         - '"Sec-Fetch-Site" in headers'
-        - '"Upgrade-Insecure-Requests" in headers'
         - '"Accept-Encoding" in headers'
         - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'
         - '"Accept-Language" in headers'
@@ -115,6 +114,13 @@ bots:
     weight:
       adjust: -10
 
+  # The Upgrade-Insecure-Requests header is typically sent by browsers, but not always
+  - name: upgrade-insecure-requests
+    expression: '"Upgrade-Insecure-Requests" in headers'
+    action: WEIGH
+    weight:
+      adjust: -2
+
   # Chrome should behave like Chrome
   - name: chrome-is-proper
     expression:

data/meta/default-config.yaml

@@ -91,7 +91,6 @@
       - '"Sec-Fetch-Dest" in headers'
       - '"Sec-Fetch-Mode" in headers'
       - '"Sec-Fetch-Site" in headers'
-      - '"Upgrade-Insecure-Requests" in headers'
       - '"Accept-Encoding" in headers'
       - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'
       - '"Accept-Language" in headers'
@@ -99,6 +98,13 @@
   weight:
     adjust: -10
 
+# The Upgrade-Insecure-Requests header is typically sent by browsers, but not always
+- name: upgrade-insecure-requests
+  expression: '"Upgrade-Insecure-Requests" in headers'
+  action: WEIGH
+  weight:
+    adjust: -2
+
 # Chrome should behave like Chrome
 - name: chrome-is-proper
   expression:

docs/docs/CHANGELOG.md

@@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Document missing environment variables in installation guide: `SLOG_LEVEL`, `COOKIE_PREFIX`, `FORCED_LANGUAGE`, and `TARGET_DISABLE_KEEPALIVE` ([#1086](https://github.com/TecharoHQ/anubis/pull/1086)).
 - Add validation warning when persistent storage is used without setting signing keys.
 - Fixed `robots2policy` to properly group consecutive user agents into `any:` instead of only processing the last one ([#925](https://github.com/TecharoHQ/anubis/pull/925)).
+- Make the `fast` algorithm prefer purejs when running in an insecure context.
 - Add the [`s3api` storage backend](./admin/policies.mdx#s3api) to allow Anubis to use S3 API compatible object storage as its storage backend.
 - Fix a "stutter" in the cookie name prefix so the auth cookie is named `techaro.lol-anubis-auth` instead of `techaro.lol-anubis-auth-auth`.
 - Make `cmd/containerbuild` support commas for separating elements of the `--docker-tags` argument as well as newlines.

web/js/algorithms/fast.ts

@@ -18,7 +18,12 @@ export default function process(
 ): Promise<string> {
   console.debug("fast algo");
 
-  let workerMethod = window.crypto !== undefined ? "webcrypto" : "purejs";
+  // Choose worker based on secure context.
+  // Use the WebCrypto worker if the page is a secure context; otherwise fall back to pure‑JS.
+  let workerMethod: "webcrypto" | "purejs" = "purejs";
+  if (window.isSecureContext) {
+    workerMethod = "webcrypto";
+  }
 
   if (navigator.userAgent.includes("Firefox") || navigator.userAgent.includes("Goanna")) {
     console.log("Firefox detected, using pure-JS fallback");
@@ -82,4 +87,4 @@ export default function process(
       workers.push(worker);
     }
   });
-}
+}