B83%
Quality Score
6
Pages
131
Issues
7.6
Avg Confidence
7.8
Avg Priority
46 Critical65 High20 Medium
>_ Testers.AI
AI Analysis
Jacamo scored B (83%) with 131 issues across 7 tested pages, ranking #8 of 14 US retail sites. That's 26 more than the 105.1 category average (36th percentile).
Top issues to fix immediately: "Access Denied Page Blocks User from Completing Task" โ Display a user-friendly error message that explains why access was denied (e; "Critical: 403 Access Denied Error Blocks Page Load" โ Investigate the 403 Forbidden error on the server; "Missing Cache Headers on All Critical Resources" โ 1) Add Cache-Control headers to all responses: use 'max-age=31536000, immutable' for versioned assets in _next/static....
Weakest area โ accessibility (5/10): Significant concerns with color contrast ratios, no visible alt text strategy, and potential keyboard navigation issues.
Quick wins: Improve color contrast ratios, especially red text on dark backgrounds, to meet WCAG AA standards. Add descriptive alt text to all product images and banner graphics.
Qualitative Quality
Jacamo
Category Avg
Best in Category
Pages Tested ยท 6 screenshots
Homepage
jacamo.co.uk
jacamo.co.uk
jacamo.co.uk
jacamo.co.uk
jacamo.co.uk
Detected Issues ยท 131 total
1
Content Security Policy Violation - Blocked Frame Loading
CRIT P9
Prompt to Fix
The application is throwing a Content Security Policy (CSP) violation error: 'Framing https://sgtm.jacamo.co.uk/ violates the frame-src directive'. The domain 'https://sgtm.jacamo.co.uk' is not in the allowed list for the frame-src CSP directive. Determine if this domain is a legitimate third-party service required by the application. If yes, add 'https://sgtm.jacamo.co.uk' to your CSP frame-src directive in your security headers or meta tag. If no, remove the iframe or frame reference to this domain from your application code.
Why it's a bug
A CSP directive violation is blocking the loading of 'https://sgtm.jacamo.co.uk/' because it's not in the allowed frame-src list. CSP violations indicate security policy misconfigurations that prevent legitimate resources from loading. This impacts functionality and indicates a security/configuration issue that must be addressed.
Why it might not be a bug
The CSP may be intentionally strict, but if sgtm.jacamo.co.uk is a legitimate resource the application needs, the CSP must be updated.
Suggested Fix
1) Determine if 'https://sgtm.jacamo.co.uk/' is a legitimate resource needed by the application. 2) If yes, add it to the Content-Security-Policy frame-src directive. 3) Update the CSP header to include: frame-src 'self' https://fp.simplybe.co.uk https://fp.jdwilliams.co.uk https://fp.jacamo.co.uk https://h.online-metrix.net https://sgtm.jacamo.co.uk. 4) If no, investigate why the application is attempting to load this resource and remove the reference.
Why Fix
CSP violations prevent legitimate functionality from working and indicate security policy misconfigurations. Fixing this allows required resources to load while maintaining security posture.
Route To
Security Engineer, Backend Engineer
Page
Tester
Sharon ยท Security TesterTechnical Evidence
Console:
[ERROR] Framing 'https://sgtm.jacamo.co.uk/' violates the following Content Security Policy directive: "frame-src 'self' https://fp.simplybe.co.uk https://fp.jdwilliams.co.uk https://fp.jacamo.co.uk https://h.online-metrix.net". The request has been blocked.Network:
Frame loading attempt blocked by CSP2
Multiple Content Security Policy (CSP) Violations and Frame Loading Failures
CRIT P9
Prompt to Fix
The registration form on jacamo.co.uk is experiencing Content Security Policy violations preventing https://sgtm.jacamo.co.uk from loading in iframes, and postMessage communication is failing due to origin mismatches (target origin 'https://sgtm.jacamo.co.uk' vs recipient window origin 'null'). Fix the CSP configuration by: 1) Adding 'https://sgtm.jacamo.co.uk' to the frame-src directive if it's a legitimate first-party service, 2) Ensuring all cross-origin postMessage handlers properly validate origins instead of matching against 'null', 3) Implementing proper iframe initialization to ensure the window object has the correct origin context. Provide the corrected CSP meta tag and cross-origin communication handler code.
Why it's a bug
The console logs show repeated CSP violations where 'https://sgtm.jacamo.co.uk/' is being blocked by the frame-src directive. This indicates a security misconfiguration where server-side tag management or tracking scripts are attempting to load in iframes without proper CSP allowance. This is a critical security and functionality issue that prevents legitimate third-party services from operating correctly. The repeated postMessage warnings further indicate broken cross-origin communication.
Why it might not be a bug
CSP policies are intentionally restrictive by design to prevent security breaches. However, the pattern of repeated failures suggests the policy is too restrictive for legitimate business needs, which requires remediation.
Suggested Fix
1) Update the CSP frame-src directive to include 'https://sgtm.jacamo.co.uk' if it is a legitimate first-party service, or remove it if no longer needed. 2) Verify that all third-party tracking/analytics services (Bazaarvoice, Bing, Facebook, TikTok, etc.) are properly configured in CSP directives. 3) Implement proper origin matching for postMessage handlers to fix the cross-origin communication errors. 4) Test all tracking and analytics functionality after CSP updates.
Why Fix
CSP violations block legitimate business functionality including analytics, conversion tracking, and user behavior monitoring. This causes loss of critical business intelligence and prevents proper campaign attribution. The repeated failures also degrade page performance.
Route To
Security Engineer / DevOps / Backend Platform Team
Page
Tester
Jason ยท GenAI Code AnalyzerTechnical Evidence
Console:
[ERROR] Framing 'https://sgtm.jacamo.co.uk/' violates the following Content Security Policy directive: "frame-src 'self' https://fp.simplybe.co.uk https://fp.jdwilliams.co.uk https://fp.jacamo.co.uk https://h.online-metrix.net". The request has been blocked. [WARN] Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://sgtm.jacamo.co.uk') does not match the recipient window's origin ('null').Network:
GET https://sgtm.jacamo.co.uk/gtm.js?id=GTM-K56QNZLS - Status: 200 (but blocked by CSP at frame level)3
CSP Frame Injection Violation - Security Policy Bypass Risk
CRIT P9
Prompt to Fix
Fix the CSP frame injection violation. The error is: 'Framing https://sgtm.jacamo.co.uk/ violates CSP directive frame-src'. The domain IS in the CSP allowlist but the frame is being blocked. The issue is likely in how the iframe is being created or the exact URL being framed. Provide code that: (1) creates iframes using createElement('iframe') with src set via setAttribute, (2) ensures the exact URL (with protocol/domain/path) matches CSP allowlist, (3) avoids document.write or innerHTML for frame injection, (4) logs the actual src being set for debugging. Show me the corrected iframe creation code.
Why it's a bug
Console error shows: 'Framing https://sgtm.jacamo.co.uk/ violates CSP directive frame-src'. This indicates the code is attempting to inject or frame content that violates the Content Security Policy. While sgtm.jacamo.co.uk is listed in the CSP allowlist, the violation suggests the code is either: 1) dynamically creating frames without proper attribute configuration, 2) using document.write or DOM manipulation to inject iframe elements, or 3) attempting to frame a different variant of the URL. This is typical AI-generated code that doesn't account for CSP constraints and attempts direct DOM injection without respecting security policies.
Why it might not be a bug
The domain is listed in the CSP allowlist, so this could be a false positive from browser CSP parsing. However, the error being logged indicates the violation occurred, suggesting the code generated an invalid frame.
Suggested Fix
1) Review all iframe/frame creation code and ensure they explicitly set 'src' attributes before DOM insertion. 2) Verify all frame URLs match exactly with CSP allowlist entries (protocol, domain, path). 3) Avoid dynamic frame creation via document.write or innerHTML. 4) Use proper createElement('iframe') with attributes set before appending. 5) Add CSP meta tag validation or audit the exact frame URL being requested.
Why Fix
CSP violations indicate potential security vulnerabilities and can block legitimate third-party integrations. This breaks analytics and fraud detection systems, causing incomplete tracking and potential security gaps.
Route To
Security Engineer
Page
Tester
Jason ยท GenAI Code AnalyzerTechnical Evidence
Console:
[ERROR] Framing 'https://sgtm.jacamo.co.uk/' violates the following Content Security Policy directive: "frame-src 'self' https://fp.simplybe.co.uk https://fp.jdwilliams.co.uk https://fp.jacamo.co.uk https://h.online-metrix.net". The request has been blocked.Network:
GET https://sgtm.jacamo.co.uk/gtm.js?id=GTM-K56QNZLS - Status: 200