B84%
Quality Score
15
Pages
221
Issues
8.0
Avg Confidence
7.9
Avg Priority
94 Critical93 High34 Medium
>_ Testers.AI
AI Analysis
Roku scored B (84%) with 221 issues across 7 tested pages, ranking #4 of 8 Testlio portfolio apps. That's 22 more than the 199.2 category average (38th percentile).
Top issues to fix immediately: "Critical: Resource failed to load (HTTP 404) breaking UI assets" โ Identify the missing asset URL from the network panel, verify the file exists at the expected path on the server and ...; "Critical: DNS resolution failure blocks resource loading (ERR_NAME_NOT" โ Audit all external hostnames used by the app, verify DNS records are correct and reachable from client environments, ...; "Non-descriptive alt text on informative image (alt='S')" โ Replace the alt text with a concise, descriptive description of the image content (e.
Weakest area โ usability (6/10): Intuitive concept but navigation depth and the amount of content on a long scroll may hinder quick task completion.
Quick wins: Simplify the top navigation and add a prominent search and sign-in path to reduce cognitive load on first visit. Improve accessibility: provide clear focus indicators, scalable fonts, alt text for media, and skip-to-content links.
Qualitative Quality
Roku
Category Avg
Best in Category
Pages Tested ยท 15 screenshots
Homepage
www.roku.com
www.roku.com
www.roku.com
www.roku.com
www.roku.com
www.roku.com
www.roku.com
www.roku.com
www.roku.com
www.roku.com
www.roku.com
www.roku.com
www.roku.com
www.roku.com
Detected Issues ยท 221 total
1
PII in query parameter sent to third-party analytics (IP address exposed)
CRIT P9
Prompt to Fix
Prompt to AI coding assistant: In the client-side code that sends analytics events to https://pixel.web.roku.com/api/v2/scribe, remove any IP address from the query string. Ensure the request either omits the ip parameter entirely or uses an anonymized value. If IP data is required for privacy/compliance reasons, route it to a server-side endpoint with strict access controls and no exposure to third-party trackers, or enable IP anonymization at the analytics provider level. Update the code to reflect data minimization, review consent flows for analytics, and add tests that verify IP is not sent in the URL for this endpoint.
Why it's a bug
The network call to the third-party analytics endpoint includes the user's IP address (ip=24.17.117.100) in the URL query string. Sending IP addresses to external trackers constitutes a privacy-sensitive data exposure and increases the risk of user tracking across sites. This can raise GDPR/CCPA/privacy-policy compliance concerns and exposes sensitive data in browser history and analytics logs. Even if transmitted over HTTPS, the IP is still being revealed to a third party and could be misused or aggregated across domains.
Why it might not be a bug
Analytics providers sometimes require IP data for geolocation or fraud prevention; if there is a documented privacy policy and user consent, this may be deemed acceptable. However, best practice is to minimize or anonymize IP before transmission to third parties, and ensure explicit user consent where required.
Suggested Fix
Remove the ip parameter from the pixel.web.roku.com scribe URL or replace it with an anonymized value (e.g., omit the IP or send a masked value). If IP data is necessary for internal fraud prevention, ensure it is processed server-side or anonymized before reaching third-party analytics. Verify and tighten privacy controls, add user consent where required, and implement data minimization for all third-party requests.
Why Fix
Reducing or eliminating IP exposure to third-party analytics lowers privacy risk, reduces potential regulatory exposure, and aligns with data minimization principles. It also minimizes cross-origin data leakage and potential fingerprinting vectors.
Route To
Privacy Engineer, Security Engineer
Page
Tester
Sharon ยท Security Networking AnalyzerTechnical Evidence
Network:
GET https://pixel.web.roku.com/api/v2/scribe?app=www&eventType=action&uvn=undefined&usn=undefined&ip=24.17.117.100&experiment=RRuYXG9UN%7CRRuYXG9UN%232%2CK4Vhc3QXy%7CK4Vhc3QXy%23Test%2CCIxKUTHXP%7CCIxKUTHXP%232%2CoHxxc92JA%7CoHxxc92JA%231%2C1OOOoAe5Z%7C1OOOoAe5Z%231%2CzAdA8cu8K%7CzAdA8cu8K%231&auth=undefined&locale=%7B%22country%22%3A%22undefined%22%2C%22language%22%3A%22undefined%22%7D&channelStoreCode=US×tamp=1773791686358&action=Pageview&page=https%3A%2F%2Fwww.roku.com%2Fcheckout&referrer=&devices=%5B%7B%7D%5D&2
PII exposed in analytics/tracking URLs (IP in query string)
CRIT P9
Prompt to Fix
Modify the analytics scribe URL construction to strip IPs from query parameters. Implement a privacy-preserving analytics layer that uses anonymized IDs instead of raw IPs, and add a lint/test to prevent IPs from being included in URL query strings in the future.
Why it's a bug
The page makes a tracking/open analytics request that includes a user's IP address in the URL query string (ip=24.17.117.100). This is a privacy risk because IPs can be logged by intermediaries, analytics tools, and server logs, potentially exposing sensitive user data without consent. This pattern is common in AI-generated templates that copy analytics boilerplate without redaction.
Why it might not be a bug
Some analytics implementations capture IPs for geolocation or fraud prevention; however, exposing IPs in query strings is a known privacy risk and is generally considered avoidable.
Suggested Fix
Redact or anonymize IP in all analytics/tracking URLs. Use server-side IP anonymization or replace with a hashed/pseudonymous identifier. Avoid sending raw IP in query strings; centralize analytics configuration to ensure PII is not leaked.
Why Fix
Protect user privacy, reduce risk of data leakage, and stay compliant with privacy regulations. This is a high-priority issue for user trust and regulatory compliance.
Route To
Privacy/Security Engineer
Page
Tester
Jason ยท GenAI Code AnalyzerTechnical Evidence
Console:
POST https://www.google.com/ccm/collect?frm=0&ae=g&en=page_view...&ip=24.17.117.100&...Network:
POST https://pixel.web.roku.com/api/v2/scribe?app=www&eventType=action&uvn=undefined&usn=undefined&ip=24.17.117.100&experiment=RRuYXG9UN%7CRRuYXG9UN%232%2CK4Vhc3QXy%7CK4Vhc3QXy%23Test%2CCIxKUTHXP%7CCIxKUTHXP%232%2CoHxxc92JA%7CoHxxc92JA%231%2C1OOOoAe5Z%7C1OOOoAe5Z%231%2CzAdA8cu8K%7CzAdA8cu8K%231&auth=undefined&locale=%7B%22country%22%3A%22undefined%22%2C%22language%22%3A%22undefined%22%7D&channelStoreCode=US×tamp=1773791686358&action=Pageview&page=https%3A%2F%2Fwww.roku.com%2Fcheckout&referrer=&devices=%5B%7B%7D%5D&3
PII leakage via analytics endpoint parameter (IP address in scribe URL)
CRIT P9
Prompt to Fix
Modify client-side analytics so it does not send the real user IP in query params. Replace ip parameter with an anonymized token or remove it entirely. Add a consent-gated option for analytics and route telemetry through a privacy-preserving service.
Why it's a bug
The scribe/analytics request URL includes ip=24.17.117.100, exposing a user's IP in client-side logs. This is a privacy/security risk and could violate privacy regulations.
Why it might not be a bug
Analytics often include IPs, but best practices require masking or server-side handling to protect user privacy.
Suggested Fix
Do not forward raw client IPs in query strings. Use anonymized identifiers or server-side logs with consent, and redact or hash IPs. Consider moving analytics behind a consent wall and/or using privacy-preserving telemetry.
Why Fix
Reduces privacy risk, helps comply with data protection regulations, and improves user trust.
Route To
Privacy Engineer / Backend/Analytics Engineer
Page
Tester
Jason ยท GenAI Code AnalyzerTechnical Evidence
Console:
GET https://pixel.web.roku.com/api/v2/scribe?app=www&eventType=action&uvn=12702698-97e0-4322-b20e-fe2f4046c962%3Ad1f8bb969dcd581fa33634b57b508708&usn=false&ip=24.17.117.100&experiment=&auth=false&locale=%7B%22country%22%3A%22US%22%2C%22language%22%3A%22en%22%7D&channelStoreCode=US×tamp=1773791704939&action=Pageview&page=https%3A%2F%2Fwww.roku.com%2Fwhats-on&referrer=&devices=%5B%7B%7D%5D&misc=%7B%22utmcsr%22%3A%22(direct)%22%2C%22utmcmd%22%3A%22(none)%22%2C%22utmccn%22%3A%22(not%20set)%22%7D&Network:
GET https://pixel.web.roku.com/api/v2/scribe?app=www&eventType=action&uvn=12702698-97e0-4322-b20e-fe2f4046c962%3Ad1f8bb969dcd581fa33634b57b508708&usn=false&ip=24.17.117.100&experiment=&auth=false&locale=%7B%22country%22%3A%22US%22%2C%22language%22%3A%22en%22%7D&channelStoreCode=US×tamp=1773791704939&action=Pageview&page=https%3A%2F%2Fwww.roku.com%2Fwhats-on&referrer=&devices=%5B%7B%7D%5D&misc=%7B%22utmcsr%22%3A%22(direct)%22%2C%22utmcmd%22%3A%22(none)%22%2C%22utmccn%22%3A%22(not%20set)%22%7D&