C+78%
Quality Score
6
Pages
142
Issues
7.6
Avg Confidence
7.9
Avg Priority
52 Critical69 High21 Medium
>_ Testers.AI
AI Analysis
ASOS scored B (85%) with 142 issues across 7 tested pages, ranking #16 of 22 UK retail sites. That's 18 more than the 123.7 category average (27th percentile).
Top issues to fix immediately: "Persistent User Identifier (auid) Exposed Across Multiple Tracking Cal" โ 1; "Iframe Sandbox Escape Vulnerability" โ 1) Remove either 'allow-scripts' or 'allow-same-origin' from the iframe sandbox attribute (not both); "Iframe Sandbox Vulnerability - Allows Script Escape" โ Remove 'allow-same-origin' from the iframe sandbox attribute if not absolutely necessary.
Weakest area โ accessibility (5/10): Significant accessibility concerns: insufficient color contrast on some text, images lack visible alt text labels, small font s...
Quick wins: Improve text contrast ratios to meet WCAG AA standards, particularly on black backgrounds. Add clear, descriptive alt text to all product and model images.
Qualitative Quality
ASOS
Category Avg
Best in Category
Pages Tested ยท 6 screenshots
Homepage
asos.com
asos.com
asos.com
asos.com
asos.com
Detected Issues ยท 142 total
1
Persistent User Identifier (auid) Exposed Across Multiple Tracking Calls
CRIT P10
Prompt to Fix
Critical privacy issue: A persistent user identifier 'auid=1094023874.1773668335' is exposed in plaintext across multiple advertising platform tracking calls logged to browser console. This same identifier is being shared with DoubleClick, Google Ads, and other ad platforms, enabling persistent cross-site user profiling. Fix immediately by: 1) Implement URL sanitization to redact all user identifiers before logging - strip auid, auiddc, guid, and any numeric identifiers from URLs. 2) Enable strict CSP enforcement to block these tracking calls entirely at the network layer. 3) Implement a utility function that detects and redacts patterns matching user identifiers from all logged content. 4) Consider implementing user identifier anonymization or encryption before transmission to ad platforms. 5) Add privacy audit logging that monitors for accidental exposure of user identifiers in console. This is a material privacy violation that exposes persistent cross-site tracking identifiers.
Why it's a bug
A persistent user identifier 'auid=1094023874.1773668335' appears consistently across multiple different tracking platform calls (DoubleClick, Google Ads Services) in console logs. This same identifier is being sent to multiple advertising and tracking vendors, enabling persistent cross-site user identification and profiling. The identifier persists across the entire session and appears in both DoubleClick activity tracking, Google conversion tracking, and other ad platform calls. Exposure of this identifier in console logs makes it visible to anyone with access to browser developer tools, creating a privacy breach. The auid value format (decimal.timestamp) suggests it may be a combination of user ID and timestamp-based tracking.
Why it might not be a bug
The auid is part of Google's legitimate advertising ecosystem. However, logging these identifiers to client-side console violates privacy principles of data minimization and user transparency.
Suggested Fix
1. Implement strict CSP enforcement to block all ad platform calls, preventing auid from being transmitted. 2. Create a URL sanitization function that redacts all user identifiers (auid, auiddc, guid, etc.) from any logged URLs. 3. Implement client-side tracking identifier encryption or hashing so identifiers are not visible in plaintext in logs. 4. Use Google Tag Manager's built-in PII prevention features to prevent transmission of identifiers where possible. 5. Implement consent-based loading of ad scripts - only load ad pixels after explicit user consent.
Why Fix
Exposing persistent cross-site user identifiers in console logs violates fundamental privacy principles and likely breaches GDPR Article 5 (data minimization), CCPA (user transparency), and other data protection regulations. The same identifier being used across multiple ad platforms enables sophisticated user profiling and tracking. Console logs are accessible to users, developers, browser extensions, and potentially malicious actors. Users have a right to know they're being tracked with persistent identifiers, and these identifiers should not be visible in plaintext.
Route To
Privacy Engineer / Security Engineer / Frontend Engineer / Data Protection Officer
Page
Tester
Pete ยท Privacy Console Log AnalyzerTechnical Evidence
Console:
Multiple console entries showing auid=1094023874.1773668335 in DoubleClick activity URLs and Google Ads conversion URLs - the same identifier repeated across different tracking platformsNetwork:
https://ad.doubleclick.net/activity with auid parameter and https://www.googleadservices.com/pagead/conversion with auid parameter2
Iframe Sandbox Escape Vulnerability
CRIT P10
Prompt to Fix
The browser console shows a warning: 'An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.' This is a security vulnerability. Please: 1) Find the iframe element with both 'allow-scripts' and 'allow-same-origin' in the sandbox attribute, 2) Remove one of these attributes - if scripts must run, keep only 'allow-scripts' and remove 'allow-same-origin', 3) If same-origin access is required, remove 'allow-scripts' instead, 4) Verify the iframe content source is from a trusted origin, 5) Test that removing the attribute doesn't break required functionality.
Why it's a bug
The warning explicitly indicates a security vulnerability where an iframe with both 'allow-scripts' and 'allow-same-origin' sandbox attributes can escape its sandbox restrictions. This is a critical security flaw that could allow malicious scripts to break out of containment and access sensitive data or perform unauthorized actions.
Why it might not be a bug
The warning itself is functioning as intended to alert developers, but dismissing the warning without fixing the underlying vulnerability would be negligent.
Suggested Fix
1) Remove either 'allow-scripts' or 'allow-same-origin' from the iframe sandbox attribute (not both). 2) If scripts are required, use 'allow-scripts' alone without 'allow-same-origin' to prevent same-origin access. 3) If same-origin access is required, remove 'allow-scripts' and handle script execution through alternative means. 4) Review the iframe content source to ensure it's from a trusted origin.
Why Fix
This is a critical security vulnerability that could allow sandbox escape and compromise application security, user data, and system integrity.
Route To
Security Engineer / Frontend Engineer
Page
Tester
Sharon ยท Security TesterTechnical Evidence
Console:
[WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.3
Iframe Sandbox Vulnerability - Allows Script Escape
CRIT P10
Prompt to Fix
Fix an iframe sandbox security vulnerability: The browser is warning that an iframe has both 'allow-scripts' and 'allow-same-origin' sandbox attributes, which allows script escape. Please: 1) Identify all iframe elements in the code, 2) Remove 'allow-same-origin' from sandbox attributes unless absolutely required, 3) Use only minimum required sandbox permissions (e.g., just 'allow-scripts' if needed), 4) Implement postMessage-based communication for any cross-origin interactions needed, 5) Validate all iframe src attributes against a whitelist of trusted domains. Show me the updated iframe HTML with proper sandbox configuration and any postMessage communication code.
Why it's a bug
The console warning '[WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing' indicates a critical security misconfiguration in iframe sandboxing. AI-generated code frequently creates iframes with overly permissive sandbox attributes to avoid dealing with cross-origin restrictions, inadvertently creating security vulnerabilities where embedded content can break out of the sandbox and access the parent page's origin.
Why it might not be a bug
The warning is just a browser warning, not a hard error, and may be intentional if the iframe content is trusted. However, this is still a security anti-pattern that should be avoided.
Suggested Fix
Remove 'allow-same-origin' from the iframe sandbox attribute if not absolutely necessary. Use only the minimum required permissions: 'allow-scripts' alone if script execution is needed, or remove both if possible. If cross-origin access is required, implement proper postMessage communication instead of relying on same-origin sandbox bypass. Validate that all iframe sources are from trusted domains.
Why Fix
Iframes with both allow-scripts and allow-same-origin can be exploited by malicious content to access sensitive parent page data, manipulate DOM, or steal user credentials. This is a critical security vulnerability that could expose user data and compromise the application's integrity.
Route To
Security Engineer / Frontend Engineer
Page
Tester
Jason ยท GenAI Code AnalyzerTechnical Evidence
Console:
[WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.Network:
Not applicable - this is a code-level security configuration issue