asd4

It is common to see content on the web being loaded from many different domains all owned by the company providing the service or site. Today this really reached a new level of absurdity for me:

I received an email that indicated I had been given access to a OneDrive share. It was a little sketchy so I decided to navigate to the base domain and login. Examining the URL I find sharepoint.com. The next steps followed:

  1. sharepoint.com redirected to microsoft.com
  2. Clicking "login" took me to live.com
  3. Entering my username and pressing enter took me to microsoftonline.com
  4. Entering may password and pressing enter took me to office.com (and the Office dashboard)
  5. I go back to my email and click the link, which takes me to a logged in page on sharepoint.com with OneDrive branding.

This took me a bit because it was sketchy being bounced from domain to domain during a simple login process so I checked the cert each time.

I know this Microsoft stuff is an extreme example but it happens everywhere under the hood. I see this a lot with javascript and content: Sketchy domains that look a lot like the company's frontline domain but shorter or slightly different.

What engineering rationale is there for this convoluted implementation that trains users to ignore the URL bar? What happened to having a single trusted domain that all services live under?