After WordPress 6.2 came out, we had some reports about broken video playback in FV Player. In the end, the issues were more serious than we thought. WordPress’s core development crew broke a few important longtime functions:
WP HTTP no longer sets HTTP Referrer
It seems the WP HTTP functions no longer sets the HTTP referrer header by default. Bunny Stream requires a referrer header. Without it, FV Player Pro would fail to play the Bunny Stream videos with the Signed URLs download protection.
Until WordPress 6.2 you were able to call
wp_remote_get() without any extra arguments and the referrer would be sent:
$res = wp_remote_get( 'https://foliovision.com/?referrer-test=no-headers' );
But with WordPress 6.2 we had to start specifying the referrer in cases like Bunny Stream:
$res = wp_remote_get(
'headers' => array(
'Referer' => home_url(),
Note: The header name “Referer” is actually a misspelling of the word “Referrer”, but it has become a standard that way.
Here’s how these two calls turn up in the access logs on our server with WordPress 6.2:
As you can see the first call provided no referrer information which make sense as
wp_remote_get() did not specify the referrer. It’s just that until now WordPress would include that automatically.
And here’s WordPress 6.1:
So the referrer header shows up even for the first request where
wp_remote_get() specifies no referrer. But to my surprise it actually uses the request URL as the referrer which is wrong.
The line of code responsible for this is in the Requests library version which was used up to WordPress 6.1: wp-includes/Requests/src/Transport/Curl.php on WordPress 6.1 github.com
In WordPress 6.2 the Requests library was updated to version 2.0.6 and that line is gone: wp-includes/Requests/src/Transport/Curl.php on WordPress 6.2 github.com
And here is the pull requests on the original Requests library: https://github.com/WordPress/Requests/pull/444
To sum things up:
- WordPress until version 6.2 is putting in invalid referrer header
- WordPress 6.2 puts in no referrer by default
None of that seems like the right thing. I wish WordPress 6.2 would include the proper referrer header by default – the website URL.
But a sudden change like this will surely cause a lot of problems with other plugins and APIs.
MySQL Escaping adds new replacement string
The MySQL escaping function named prepare of the WP database class now also replaces
%i in the SQL queries. Previously it would only handle
%s. FV Player Pro had a query where it would only use prepare() for certain parts of it so then a mention of
%iPad% in the SQL query caused the query to break. That broke encrypted HLS serving in FV Player Pro.
Thoughts: In fairness, this second breaking change is an improvement.
FV Player users: we’ve fixed both these issues in FV Player 7.5.32. The simple solution for any publisher on WordPress 6.2 or later is to update to the latest version of FV Player.
It’s been awhile since WordPress broke everyone’s sites. Back around WP 5.2. Let’s hope it doesn’t become a trend. Stability is good. Here’s the full changelog for WordPress 6.2. WordPress 6.2 marketing announcement (written by Matt Mullenweg for a change, as he took the lead on 6.2) touts enhancements to the block editor and full site editing, as well as performance improvements. As a code minimalist, I’m fairly indifferent to full site editing but performance improvements are always welcome. WordPress has never been the fastest car in the garage.
Alec has been helping businesses succeed online since 2000. Alec is an SEM expert with a background in advertising, as a former Head of Television for Grey Moscow and Senior Television Producer for Bates, Saatchi and Saatchi Russia.