Why do web services use so many domains?
It is common to see content on the web being loaded from many different domains all owned by the company providing the service or site. Today this really reached a new level of absurdity for me:
I received an email that indicated I had been given access to a OneDrive share. It was a little sketchy so I decided to navigate to the base domain and login. Examining the URL I find sharepoint.com. The next steps followed:
1. sharepoint.com redirected to microsoft.com
2. Clicking "login" took me to live.com
3. Entering my username and pressing enter took me to microsoftonline.com
4. Entering may password and pressing enter took me to office.com (and the Office dashboard)
5. I go back to my email and click the link, which takes me to a logged in page on sharepoint.com with OneDrive branding.
I know this Microsoft stuff is an extreme example but it happens everywhere under the hood. I see this a lot with javascript and content: Sketchy domains that look a lot like the company's frontline domain but shorter or slightly different.
What engineering rationale is there for this convoluted implementation that trains users to ignore the URL bar? What happened to having a single trusted domain that all services live under? There can be quite a few reasons to pull in more domains than necessary: - Branding. Perhaps Microsoft wants a strong stamp that Sharepoint is the productivity tool and Live is the identity system. - Using security boundaries. Web browsers respect domain differences as a primary security boundary. If live.com is security critical, they may want to make sure extras are hosted elsewhere so it can't access live.com cookies, make XHR requests to live.com etc. - Redirects may need to jump through extra domains to make sure that logging in once works accross every property. For example, when you log in to Google Drive it redirects you through YouTube in order to set a cookie on YouTube to log you in there. - Partners. A company may use a partner for some part of their tech stack, for example MyBiz LLC might use Trust Inc to provide DOS protection. In some cases this might be implemented by throwing up trust-mybiz.com somewhere in the mix. The security boundaries rationale is interesting. I think I need to learn more about that. Another user mentioned SSO redirects for main pages. For assets generally there is a different domain for the CDN, which may load JavaScript. Finally there is an inbuilt limit of simultaneous requests per domain in browsers. Different domains are used to get around this. I did not know this about connection limits. The multi-domain assets really bug me when I'm enabling domains one by one in NoScript. Here is an example of domains used on Amazon's website: The HTTP 1.1 RFC says 2 per domain, but it’s more like 6 for most browsers. https://docs.pushtechnology.com/cloud/latest/manual/html/des... The redirections sound like ordinary SSO behavior. The fact that there's multiple domains is an artifact of sales & marketing people who insist on having a different name for everything and will not accept a sub-domain of the main corporate domain. They want to put out marketing pieces saying "go to <productname>.com". It's more about marketing, branding, and re-branding than it is technical.
On its own "associates-amazon.com" sounds sketchy, but I suppose you assume the HTTPS page that you loaded from amazon.com knows what its doing. amazon.com
www.amazon.com
amazon-adsystem.com
associates-amazon.com
media-amazon.com
ssl-images-amazon.com