Boohoo
boohoo.com
App Quality Report
Powered by Testers.AI
Category Report โ†’ Competitive Grid โ†’ Animated Demo โ†’
B-80%
Quality Score
6
Pages
154
Issues
7.5
Avg Confidence
7.9
Avg Priority
58 Critical75 High21 Medium
Testers.AI
>_ Testers.AI AI Analysis

Boohoo scored B- (80%) with 154 issues across 7 tested pages, ranking #11 of 14 US retail sites. That's 49 more than the 105.1 category average (21st percentile).

Top issues to fix immediately: "Modal Dialog Blocks Primary Task - Empty Bag Conversion Blocker" โ€” Remove the modal from the empty bag page; "Iframe Sandbox Bypass Vulnerability - Script Execution Escape Risk" โ€” Audit all iframe implementations in the codebase to identify which iframe has this misconfiguration; "Unsafe Iframe Sandbox Configuration Warning Indicates XSS Risk" โ€” Remove either 'allow-scripts' or 'allow-same-origin' from the iframe sandbox attribute, depending on the iframe's fun....

Weakest area โ€” accessibility (5/10): Concerning lack of visible accessibility features. No apparent alt text visible for images, insufficient color contrast in some...

Quick wins: Implement comprehensive alt text for all product images and improve ARIA labels for better screen reader compatibility. Increase color contrast ratios throughout the page to meet WCAG AA standards, particularly in text elements.

Qualitative Quality
Boohoo
Category Avg
Best in Category
Issue Count by Type
A11y
39
Content
26
Security
26
UX
6
Visual
1
Pages Tested ยท 6 screenshots
Screenshot
Homepage
Screenshot
boohoo.com
Screenshot
boohoo.com
Screenshot
boohoo.com
Screenshot
boohoo.com
Screenshot
boohoo.com
Detected Issues ยท 154 total
1
Iframe Sandbox Bypass Vulnerability - Script Execution Escape Risk
CRIT P10
Conf 9/10 OtherSecurity
Prompt to Fix
Critical security issue detected: An iframe with sandbox='allow-scripts allow-same-origin' is configured in the application, which allows sandbox escape attacks. This configuration violates security best practices. Locate all iframe elements in the codebase and remove the combined 'allow-scripts' and 'allow-same-origin' attributes. Use only 'allow-scripts' if the iframe needs to execute scripts, OR only 'allow-same-origin' if same-origin access is required, but never both together. Additionally, implement Content Security Policy (CSP) headers with frame-src and sandbox directives to enforce these restrictions at the HTTP header level for defense-in-depth. Add automated security tests to detect this misconfiguration in the future.
Why it's a bug
The console warning explicitly alerts that 'An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.' This is a critical security configuration issue. When an iframe has both allow-scripts AND allow-same-origin simultaneously, it can break out of the sandbox and access the parent window's origin, execute arbitrary code in the parent context, access parent window's localStorage/sessionStorage, and potentially exfiltrate sensitive data or perform unauthorized actions on behalf of the user. This warning indicates an actual vulnerable iframe configuration exists in the application and is actively being exploited or misconfigured.
Why it might not be a bug
This is definitively a bug. The console warning is alerting to an actual security vulnerability, not a false positive. Browser security warnings about sandbox escape should always be treated as critical issues.
Suggested Fix
Audit all iframe implementations in the codebase to identify which iframe has this misconfiguration. Remove either 'allow-scripts' OR 'allow-same-origin' from the sandbox attribute depending on functionality requirements. If the iframe needs to execute scripts, use 'allow-scripts' alone. If it needs same-origin access, use 'allow-same-origin' alone. For most third-party embedded content, use only 'allow-scripts' with no 'allow-same-origin'. Implement Content Security Policy (CSP) headers to further restrict iframe behavior. Add security testing to the CI/CD pipeline to detect iframe sandbox misconfigurations before deployment.
Why Fix
This is a critical sandbox escape vulnerability that directly enables privilege escalation, cross-origin data theft, and session hijacking. Fixing this eliminates a major attack vector and is essential for protecting user data and application integrity.
Route To
Security Engineer / Frontend Engineer
Page
Basket
Tester
Sharon ยท Security Console Log Analyzer
Technical Evidence
Console: [WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.
Network: N/A - iframe configuration issue, not network-related
2
Unsafe Iframe Sandbox Configuration Warning Indicates XSS Risk
CRIT P10
Conf 8/10 OtherSecurity
Prompt to Fix
Browser console is warning about an unsafe iframe sandbox configuration that combines both 'allow-scripts' and 'allow-same-origin' attributes. This allows the iframe to escape sandbox restrictions and execute scripts with same-origin privileges, creating an XSS vulnerability. Find all iframe elements in the codebase with 'sandbox="allow-scripts allow-same-origin"' or similar. Remove one of these permissions: keep either 'allow-scripts' OR 'allow-same-origin', but not both. If scripts in the iframe do not need parent-page access, use 'sandbox="allow-scripts"'. If same-origin access is required without script execution, use 'sandbox="allow-same-origin"'. Add CSP headers (Content-Security-Policy: script-src 'self') to enforce additional restrictions. Test that the iframe still functions correctly after the sandbox change.
Why it's a bug
The console warning '[WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing' indicates a critical security misconfiguration. This sandbox bypass allows embedded iframes to execute scripts with same-origin privileges, defeating the sandbox isolation boundary. An attacker controlling the iframe content could read/modify parent page data, steal credentials, or perform actions as the parent page user. This is a severe XSS vulnerability.
Why it might not be a bug
The warning is correctly surfaced by the browser, indicating the developer may be aware of the risk. However, the presence of this warning in production console logs confirms the misconfiguration is live and unfixed.
Suggested Fix
Remove either 'allow-scripts' or 'allow-same-origin' from the iframe sandbox attribute, depending on the iframe's functional requirements. If the iframe requires script execution, use 'sandbox="allow-scripts"' without 'allow-same-origin'. If cross-origin resource access is needed, use 'sandbox="allow-same-origin"' without 'allow-scripts'. Implement Content Security Policy (CSP) headers to enforce additional script execution restrictions. Audit all iframes in the codebase for this misconfiguration.
Why Fix
Unsafe iframe sandboxes represent a direct XSS attack vector that allows arbitrary script execution in the context of the parent page. This can lead to session hijacking, credential theft, malware injection, and complete account compromise. Fixing this is critical to prevent privilege escalation and data exfiltration.
Route To
Frontend Engineer, Security Engineer
Page
New In Clothing | Women's New In Clothes | boohoo UK
Tester
Sharon ยท Security Console Log Analyzer
3
Unsafe iframe sandbox configuration allowing script escape
CRIT P9
Conf 9/10 SecurityOther
Prompt to Fix
Fix the iframe sandbox configuration security vulnerability. Find all iframe elements that have both 'allow-scripts' and 'allow-same-origin' in their sandbox attribute and remove this dangerous combination. The browser warning indicates this allows scripts to escape the sandbox. Apply the principle of least privilege: only grant the minimum permissions needed. If the iframe needs to run scripts, use 'sandbox="allow-scripts"' without allow-same-origin. If same-origin access is required, use postMessage API for secure parent-child communication instead of allowing same-origin access.
Why it's a bug
The console warning '[WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing' indicates a critical security misconfiguration. An iframe with both allow-scripts and allow-same-origin permissions can bypass sandbox restrictions and access the parent window. This is a well-known security vulnerability that AI-generated code commonly introduces when creating iframes without proper security considerations.
Why it might not be a bug
This might be intentional if the iframe content is fully trusted, but the warning clearly indicates this is a security risk.
Suggested Fix
Review all iframe implementations. Remove the combination of allow-scripts and allow-same-origin together. If the iframe needs scripting capability, use allow-scripts without allow-same-origin. If same-origin access is needed, avoid allow-scripts and use postMessage for communication instead. Apply the principle of least privilege.
Why Fix
This vulnerability allows injected or malicious iframe content to access the parent page's cookies, session tokens, and DOM, leading to session hijacking, credential theft, and XSS attacks. This is a critical security issue.
Route To
Security Engineer
Page
boohoo | Womens and Mens Clothes | Shop Online Fashion
Tester
Jason ยท GenAI Code Analyzer
Technical Evidence
Console: [WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.
+151
151 more issues detected  View all →
Iframe Sandbox Escape Vulnerability - Security Risk
Sandbox Escape Vulnerability Enabling Script Execution
Iframe Sandbox Bypass Vulnerability Logged Without Mitigatio...
and 148 more...
Generated by Testers.AI ยท Boohoo Quality Scan
Unlock All 154 Issues
You're viewing the top 3 issues for Boohoo.
Sign up at Testers.AI to access the full report with all 154 detected issues, detailed fixes, and continuous monitoring.
Sign Up at Testers.AI or let us run the tests for you