Hi,

On or around February 18th, users of our iOS App have started receiving a certificate error when attempting to sign in to their OneDrive accounts:

"The certificate for this server is invalid. You might be connecting to a server that is pretending to be “skyapi.onedrive.onedrive.live.com” which could put your confidential information at risk."

Obviously, the URL looks incorrect (too many "onedrive."'s in there...). The trouble is this URL is generated by "accountchooser.js" (Microsoft written) in code that looks like this:

e.skyApiBaseUrl = "https://skyapi.onedrive." + document.domain + "/API/2/";

We use the OneDriveSDK via a Cocoapod (nothing has changed here in years) and our App hasn't changed anything here in a similar time frame.

So something recent looks to have changed, either in the accountchooser.js code, or in how "document.domain" is calculated/determined on iOS. For reference, our users are seeing this on iOS 15.3.x and iOS 15.4, so latest stable production releases.

Is anyone seeing anything similar? Any help with where or how we should raise this issue would be helpful...

Who is the responsible team for accountchooser.js?

Attached a screenshot of a Proxyman capture on a clean iOS Simulator 

Offending Code

Related Threads and Issues Raised

https://docs.microsoft.com/en-us/answers/questions/751860/onedrive-certificate-broken.html?childToVi...

https://docs.microsoft.com/en-us/answers/questions/747693/users-of-our-ios-app-have-just-started-rec...

https://twitter.com/StrongboxSafe/status/1496467806451286021