B+89%
Quality Score
9
Pages
117
Issues
8.1
Avg Confidence
7.9
Avg Priority
48 Critical48 High21 Medium
>_ Testers.AI
AI Analysis
Netflix scored B+ (89%) with 117 issues across 7 tested pages, ranking #1 of 8 Testlio portfolio apps. That's 82 fewer than the 199.2 category average (88th percentile).
Top issues to fix immediately: "Promo/cookie banner obstructs the main hero and CTA" โ Make the banner non-blocking for the initial view: move it to a non-overlapping area (e; "Critical: DNS resolution failures causing asset loads to fail (ERR_NAM" โ Audit all asset hostnames used by the app (scripts, styles, images, fonts); "AdTech iframe data payload leaks membership and location details to th" โ Minimize data shared with third parties by removing raw membership/location attributes from the URL.
Weakest area โ accessibility (6/10): High-contrast colors help readability, but busy hero and image-heavy content may challenge screen readers and keyboard users; n...
Quick wins: Increase hero readability with a subtler overlay or simplified background to improve text contrast. Add a prominent, accessible search bar and skip links for keyboard users.
Qualitative Quality
Netflix
Category Avg
Best in Category
Pages Tested ยท 9 screenshots
Homepage
www.netflix.com
www.netflix.com
www.netflix.com
www.netflix.com
www.netflix.com
www.netflix.com
www.netflix.com
www.netflix.com
Verified Test Flows ยท 4 passed
โ PASSED
TC004
4/5 steps
Verify 'What is Netflix?' FAQ Toggle
Ensure the FAQ section for 'What is Netflix?' expands and collapses correctly.
โ 1
Locate the 'What is Netflix?' FAQ button.
โ 2
Click the button.
โ 3
Check that the answer content appears below.
โ 4
Click again to collapse and verify the content is hidden.
โ PASSED
TC005
5/6 steps
Verify Footer Links Navigation
Test that footer links like 'Help Center', 'Terms of Use', and 'Privacy' navigate to correct pages.
โ 1
Click on each footer link: 'Help Center', 'Terms of Use', 'Privacy'.
โ 2
Verify that the URL updates to the correct page.
โ 3
Repeat for all footer links.
โ PASSED
TC009
3/4 steps
Test Accessibility of 'Learn More' Button
Check that the 'Learn More' button is functional and leads to additional info.
โ 1
Locate the 'Learn More' button.
โ 2
Click the button.
โ 3
Verify that additional information appears or page navigates accordingly.
โ PASSED
TC010
3/4 steps
Validate Responsive Layout on Mobile
Ensure the page layout adjusts correctly on mobile devices.
โ 1
Open the browser in mobile emulation mode or on a mobile device.
โ 2
Load the homepage.
โ 3
Verify that key elements (buttons, links, carousels) are accessible and correctly displayed.
Detected Issues ยท 117 total
1
AdTech iframe data payload leaks membership and location details to third-party advertisers
CRIT P9
Prompt to Fix
Paste a privacy-focused change: In the adtech iframe_target_05.html integration, remove the data payload from the URL that includes membership_status, country, region_code, is_member, referrer, and deniedConsentCookieGroups. Instead, pass a consent token or use a first-party mechanism to convey advertising consent. Implement data minimization by ensuring no detailed user attributes are transmitted to third parties in client-side URLs. Add a CMP-driven gating check so that advertising data sharing only occurs after explicit user consent. Validate the data sent to ad networks via logs and ensure no PII-like fields are exposed in URLs.
Why it's a bug
An adtech iframe (ae.nflximg.net/monet/scripts/adtech_iframe_target_05.html) is loaded with a data query parameter containing membership_status, country, region_code, is_member, referrer, and deniedConsentCookieGroups. This transmits user state and location attributes to a third-party advertising network in the URL, enabling third-party profiling without explicit, verifiable user consent for sharing such data. The data is exposed in the URL and can be logged by intermediaries, increasing privacy risk and potential regulatory non-compliance.
Why it might not be a bug
Some CMPs and ad ecosystems rely on shared data for personalized advertising. If explicit user consent is obtained and data is strictly minimized, this may be acceptable. However, the current payload contains multiple potentially sensitive attributes in a URL, and the CMP/consent flow is not clearly guaranteeing proper disclosure or consent handling in this exact call.
Suggested Fix
Minimize data shared with third parties by removing raw membership/location attributes from the URL. Replace with a consent token or opaque identifier that third parties can interpret only in a privacy-preserving way. Implement data minimization: do not pass membership_status, is_member, region_code, country, referrer, or deniedConsentCookieGroups in the adtech URL. Gate third-party requests behind explicit consent for advertising cookies; consider moving data handling to a first-party domain and use server-side consent signals rather than exposing detailed user attributes in client-side URLs.
Why Fix
Reducing third-party data leakage protects user privacy, improves regulatory compliance (GDPR/CCPA), and reduces risk of data being logged or misused by advertisers.
Route To
Privacy Engineer / Frontend Security Engineer
Page
Tester
Pete ยท Privacy Networking AnalyzerTechnical Evidence
Console:
GET https://ae.nflximg.net/monet/scripts/adtech_iframe_target_05.html?data=%7B%22membership_status%22%3A%22ANONYMOUS%22%2C%22country%22%3A%22US%22%2C%22region_code%22%3A%22WA%22%2C%22is_member%22%3A%22ANONYMOUS%22%2C%22wasFormerMember%22%3Afalse%2C%22referrer%22%3A%22nmLanding%22%2C%22deniedConsentCookieGroups%22%3A%22C0005%22%7D - Status: N/ANetwork:
GET https://ae.nflximg.net/monet/scripts/adtech_iframe_target_05.html?data=%7B%22membership_status%22%3A%22ANONYMOUS%22%2C%22country%22%3A%22US%22%2C%22region_code%22%3A%22WA%22%2C%22is_member%22%3A%22ANONYMOUS%22%2C%22wasFormerMember%22%3Afalse%2C%22referrer%22%3A%22nmLanding%22%2C%22deniedConsentCookieGroups%22%3A%22C0005%22%7D - Status: N/A2
AI/LLM endpoints invoked on page load without explicit consent
CRIT P9
Prompt to Fix
Audit all code paths that fire AI/LLM requests on page load. Remove non-essential calls or wrap them behind a user consent prompt. Implement lazy-loading of AI requests and explicitly document AI data usage in a privacy policy. Add a feature flag to enable/disable AI features and ensure requests respect CORS and user consent.
Why it's a bug
Console logs explicitly flag AI/LLM endpoints being detected, suggesting on-load calls to AI services without user interaction or consent. This can raise privacy concerns, affect performance, and violate user expectations around data usage and consent for AI features.
Why it might not be a bug
If the site intentionally uses on-load AI calls for features like content personalization, it should clearly disclose this and obtain consent; otherwise it could surprise users.
Suggested Fix
Defer any AI/LLM API calls until user interaction or explicit consent is obtained. Add a transparent privacy prompt and a settings toggle to enable/disable AI features. Remove or lazy-load non-essential AI calls and ensure all requests are covered by user consent banners.
Why Fix
Deferring AI calls improves user privacy, reduces unnecessary network traffic, and aligns with privacy best practices, reducing risk of silent data leakage.
Route To
Security/Privacy Engineer
Page
Tester
Jason ยท GenAI Code AnalyzerTechnical Evidence
Console:
โ ๏ธ AI/LLM ENDPOINT DETECTEDNetwork:
Detected AI endpoint calls logged by console; exact endpoints not shown in screenshot, but the messages indicate AI-related network activity.3
Geolocation data request to OneTrust geolocation service exposes location to a third-party consent provider
HIGH P8
Prompt to Fix
Provide a privacy-preserving approach to geolocation sharing: remove direct geolocation requests from client-side flows until explicit location consent for third-party sharing is granted. If necessary, switch to coarse location or IP-based location with no precise coordinates, and implement consent-gating in the CMP. Ensure any location data sent to OneTrust is strictly limited to what is required for the consent UI and disclosed in the privacy policy; replace with a token-based signal instead of raw location data in network calls.
Why it's a bug
A request to geolocation.onetrust.com/cookieconsentpub/v1/geo/location indicates transmission of location data to a third-party consent provider. Even if used for geolocation-based consent or region-specific UI, exposing location data to a third party increases privacy risk and could run afoul of data minimization principles and consent requirements absent explicit, user-granted geolocation sharing.
Why it might not be a bug
If explicit user consent is obtained for geolocation sharing and the CMP requires location for proper consent experience, this may be deemed necessary. However, the data flow should be minimized, clearly disclosed, and gated behind consent with robust controls.
Suggested Fix
Delay geolocation requests until after explicit user consent for location data sharing, and only request coarse, non-identifying location or use IP-based approximations with strict minimization. Ensure the CMP's location sharing is clearly disclosed in the privacy notice and present consent options for location sharing. Consider performing geolocation processing server-side where possible and using tokenized consent signals rather than raw location data.
Why Fix
Improves privacy by limiting sharing of location data to third parties and ensures consent-driven data handling, aligning with privacy regulations and user expectations.
Route To
Privacy Engineer / Frontend Security Engineer
Page
Tester
Pete ยท Privacy Networking AnalyzerTechnical Evidence
Console:
GET https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location - Status: N/ANetwork:
GET https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location - Status: N/A