C76%
Quality Score
6
Pages
154
Issues
7.5
Avg Confidence
7.8
Avg Priority
52 Critical79 High21 Medium2 Low
>_ Testers.AI
AI Analysis
Boohoo scored B (85%) with 154 issues across 7 tested pages, ranking #20 of 22 UK retail sites. That's 30 more than the 123.7 category average (9th percentile).
Top issues to fix immediately: "Iframe Sandbox Escape Vulnerability - Security Risk" โ 1) Remove either 'allow-scripts' or 'allow-same-origin' from the sandbox attribute unless both are absolutely necessary; "Iframe Sandbox Bypass Vulnerability Enabling XSS and Privacy Exploitat" โ Remove either 'allow-scripts' or 'allow-same-origin' from the iframe sandbox attribute; "Multiple failed resource loads breaking core functionality" โ Investigate DNS resolution issues for external service endpoints.
Weakest area โ accessibility (5/10): Limited alt text visibility for images, contrast ratios could be improved, and keyboard navigation support is unclear.
Quick wins: Implement comprehensive alt text for all product images to improve screen reader accessibility. Enhance color contrast ratios to meet WCAG AA standards, particularly in promotional sections.
Qualitative Quality
Boohoo
Category Avg
Best in Category
Pages Tested ยท 6 screenshots
Homepage
boohoo.com
boohoo.com
boohoo.com
boohoo.com
boohoo.com
Detected Issues ยท 154 total
1
Iframe Sandbox Escape Vulnerability - Security Risk
CRIT P10
Prompt to Fix
A security warning has been triggered: 'An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.' This is a known sandbox escape vulnerability. Please: 1) Audit all iframes in the codebase for this sandbox attribute combination. 2) Remove either 'allow-scripts' or 'allow-same-origin' unless both are absolutely required. 3) If both attributes must remain, document why and implement additional security measures like CSP headers. 4) Consider using feature-policy to restrict iframe access to sensitive APIs. Provide the specific iframe element(s) that need to be fixed.
Why it's a bug
The warning explicitly states that an iframe has both 'allow-scripts' and 'allow-same-origin' sandbox attributes, which can allow the iframe to escape its sandbox restrictions. This is a known security vulnerability that could allow malicious scripts to access the parent window's data, steal credentials, or perform unauthorized actions. This is a critical security issue that product teams would prioritize immediately.
Why it might not be a bug
Could be intentional if the iframe content is from a fully trusted source, but best practices recommend avoiding this combination.
Suggested Fix
1) Remove either 'allow-scripts' or 'allow-same-origin' from the sandbox attribute unless both are absolutely necessary. 2) If both are required, ensure the iframe only loads content from trusted sources. 3) Implement Content Security Policy (CSP) headers to further restrict iframe capabilities. 4) Use feature policy/permissions policy to limit iframe access to sensitive APIs.
Why Fix
This security vulnerability could allow attackers to escape iframe sandboxing and compromise user data, sessions, or perform unauthorized actions on behalf of the user. Fixing this prevents potential security breaches.
Route To
Security Engineer, Frontend Engineer
Page
Tester
Sharon ยท Security TesterTechnical Evidence
Console:
[WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.2
Iframe Sandbox Bypass Vulnerability Enabling XSS and Privacy Exploitation
CRIT P10
Prompt to Fix
An iframe on the page has both 'allow-scripts' and 'allow-same-origin' in its sandbox attribute, which creates a critical security vulnerability allowing the iframe to escape its sandbox and access the parent page's data and user information. Audit all iframes in the codebase and remove 'allow-same-origin' from any iframe that has 'allow-scripts' enabled. If same-origin access is required, use postMessage API for secure cross-origin communication instead. Prioritize this fix immediately as it's a direct privacy and security threat.
Why it's a bug
The console warning explicitly identifies a critical security vulnerability: an iframe with both 'allow-scripts' and 'allow-same-origin' sandbox attributes can escape its sandboxing. This vulnerability directly enables malicious actors to break out of iframe containment and access the parent page's data, DOM, and user information. An escaped sandbox can lead to complete privacy compromise including access to localStorage, sessionStorage, cookies, and user credentials. This is a HIGH-CONFIDENCE security/privacy issue that product teams would immediately prioritize.
Why it might not be a bug
This is a legitimate security warning that must be addressed; there is no valid counter-argument.
Suggested Fix
Remove either 'allow-scripts' or 'allow-same-origin' from the iframe sandbox attribute. If the iframe requires scripting, use 'allow-scripts' alone without 'allow-same-origin'. If same-origin access is required, do not allow scripts. Use postMessage API for controlled cross-origin communication instead of relying on same-origin access within a script-enabled iframe.
Why Fix
This sandbox bypass vulnerability directly threatens user privacy and security. It could allow attackers to exfiltrate user data, session tokens, and sensitive information from the parent page. Fixing this is critical for protecting user privacy and preventing data breaches.
Route To
Security Engineer / Frontend Lead
Page
Tester
Pete ยท Privacy Console Log AnalyzerTechnical Evidence
Console:
[WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.3
Multiple failed resource loads breaking core functionality
CRIT P10
Prompt to Fix
Multiple external resources are failing to load with 'net::ERR_NAME_NOT_RESOLVED' errors, breaking critical functionality including security verification and analytics. Investigate and resolve all DNS resolution issues for external service endpoints. Verify that all third-party URLs in the codebase are correctly configured and accessible. If endpoints have changed, update them accordingly. Test that all external resources load successfully before deployment.
Why it's a bug
The console shows multiple 'net::ERR_NAME_NOT_RESOLVED' errors indicating critical resources are failing to load. This suggests external services (analytics, performance tracking, security verification) are not loading properly, which could impact product functionality, tracking, and user verification systems. The '[IND] SiteKey Error' and failed connection to wtp.siteperformancetest.net indicate authentication/verification systems are failing.
Why it might not be a bug
These are backend/network issues rather than visual UI issues. However, they manifest as broken functionality that prevents the site from working correctly.
Suggested Fix
Investigate DNS resolution issues for external service endpoints. Verify that all third-party service URLs are correctly configured and accessible. Check firewall/network rules that may be blocking requests to external services. Update service endpoints if they have changed.
Why Fix
Failed resource loads can break critical features like security verification, analytics tracking, and performance monitoring. Users may experience authentication failures or incomplete functionality without knowing why.
Route To
Backend/DevOps Engineer
Page
Tester
Mia ยท Usability TesterTechnical Evidence
Elements:
External script and resource loading tagsConsole:
Failed to load resource: net::ERR_NAME_NOT_RESOLVED (multiple instances), [IND] SiteKey Error, Failed to establish a connection to https://wtp.siteperformancetest.net/: net::ERR_NAME_NOT_RESOLVEDNetwork:
Multiple failed DNS resolutions to external service endpoints