B83%
Quality Score
15
Pages
251
Issues
7.9
Avg Confidence
7.9
Avg Priority
100 Critical114 High37 Medium
>_ Testers.AI
AI Analysis
Uber scored B (83%) with 251 issues across 12 tested pages, ranking #6 of 8 Testlio portfolio apps. That's 52 more than the 199.2 category average (12th percentile).
Top issues to fix immediately: "FedCM CredentialRequestOptionsMode 'widget' causes Google Identity sig" β Update Google Identity Services / FedCM integration to use a FedCM-compliant CredentialRequestOptions; "Informative images have non-descriptive alt text (alt="undefined")" β Provide meaningful alt text for each image describing its content; "Images/icons missing descriptive alt text (alt='undefined')" β Provide meaningful alt text for all content images/icons or mark decorative images as aria-hidden='true' with empty alt.
Weakest area β accessibility (5/10): Possible issues with font size and color contrast on mobile; need better keyboard navigation and alt text considerations.
Quick wins: Prioritize a clear mobile funnel with a single primary CTA above the fold (e.g., Book a ride). Improve hierarchy with larger typography and consistent section headings.
Qualitative Quality
Uber
Category Avg
Best in Category
Pages Tested Β· 15 screenshots
Homepage
www.uber.com
www.uber.com
www.uber.com
www.uber.com
www.uber.com
www.uber.com
www.uber.com
www.uber.com
www.uber.com
www.uber.com
www.uber.com
www.uber.com
www.uber.com
www.uber.com
Detected Issues Β· 251 total
1
Content Security Policy blocks analytics/connect-src to analytics-ipv6.tiktokw.us
CRIT P9
Prompt to Fix
Review the page's Content Security Policy. Add analytics-ipv6.tiktokw.us to the connect-src directive (or adjust the policy to allow the necessary analytics endpoints) while maintaining privacy/compliance requirements. Ensure the header is correctly applied in all environments and that analytics calls are not blocked.
Why it's a bug
The CSP blocks a network request to an analytics endpoint (analytics-ipv6.tiktokw.us), likely preventing analytics data collection and potentially breaking features that rely on remote resources. This can lead to incomplete metrics and degraded user insights.
Why it might not be a bug
If the intention is to disable analytics due to privacy/compliance, this may be deliberate; however, the log indicates an unintentional blocking of a required analytics call, suggesting misconfiguration.
Suggested Fix
Update the CSP connect-src directive to either include analytics-ipv6.tiktokw.us (and any other required analytics endpoints) or adjust the analytics integration to communicate over allowed endpoints. Validate header construction on all environments and ensure that CMP/privacy requirements are honored while preserving essential telemetry.
Why Fix
Ensures analytics and related telemetry can function, enabling product teams to measure usage and diagnose issues. Also reduces silent failures that could impact business decisions.
Route To
Security/Frontend DevOps
Page
Tester
Sharon Β· Security TesterTechnical Evidence
Console:
[ERROR] Connecting to 'https://analytics-ipv6.tiktokw.us/ipv6/enrich_ipv6' violates the following Content Security Policy directive: "connect-src 'self' ... The action has been blocked.Network:
https://analytics-ipv6.tiktokw.us/ipv6/enrich_ipv62
AI endpoints detected and loaded on page load (privacy/performance risk)
CRIT P9
Prompt to Fix
Move all AI endpoint calls behind a user action or explicit opt-in; implement consent UI and a feature flag; audit and minimize third-party AI integrations; ensure data collection is minimal and privacy-compliant.
Why it's a bug
Console shows repeated markers 'β οΈ AI/LLM ENDPOINT DETECTED' and numerous external AI-domain requests, implying AI services are invoked automatically on load, which can leak prompts, consume bandwidth, and slow startup.
Why it might not be a bug
If this is strictly a development-only diagnostic log, it could be gated, but in production it represents a privacy/UX concern.
Suggested Fix
Defer all AI endpoint calls until explicit user action or explicit consent; audit external AI integrations; add a user-facing opt-in, and implement feature flags; minimize payloads and cache results when appropriate.
Why Fix
Prevents unintended data exposure, conserves bandwidth, and improves perceived performance.
Route To
Frontend/Privacy Engineer
Page
Tester
Jason Β· GenAI Code AnalyzerTechnical Evidence
Console:
β οΈ AI/LLM ENDPOINT DETECTEDNetwork:
N/A (log indicates AI-endpoint usage but no single URL is clearly visible in the screenshot)3
Content Security Policy block blocks analytics connections
CRIT P9
Prompt to Fix
Update the Content-Security-Policy to allow the needed analytics endpoints (or route analytics through approved proxies) and ensure the hostnames are managed with proper consent controls; verify that dynamic hosts are whitelisted securely.
Why it's a bug
Console shows a CSP violation when attempting to connect to analytics domains (e.g., analytics-ipv6.tiktokw.us), resulting in blocked analytics and degraded measurement.
Why it might not be a bug
If CSP is intentionally strict for security, itβs expected; however, it blocks essential analytics and reduces visibility into app usage.
Suggested Fix
Whitelist required analytics hosts in the CSP or proxy analytics through approved domains; consider using nonce/hash-based CSP for dynamic endpoints; implement user consent gating for analytics.
Why Fix
Ensures analytics load reliably and preserves measurement capabilities, while maintaining security posture.
Route To
Security/Platform Engineer
Page
Tester
Jason Β· GenAI Code AnalyzerTechnical Evidence
Console:
Content Security Policy directive: connect-src 'self' 'self' blob: d1a3f4spazzrp4.cloudfront.net ... The action has been blocked. Connecting to 'https://analytics-ipv6.tiktokw.us/ipv6/enrich_ipv6' violates the following CSP directive: connect-src ...Network:
https://analytics-ipv6.tiktokw.us/ipv6/enrich_ipv6