Hosting a dynamic site on S3 via async cross-origin request

Question

I realized I could host an entire site on S3 (html, js, css, etc.) and still have it be dynamic by asynchronously communicating to a database (on EC2 for me) on page load. Even though the index.html file is on S3, I can enable cross-origin requests to have a "dynamic" site.

I'm wondering if people have done this and if there are any security caveats I should keep in mind?

To me this is an extremely scalable (and cheap!) server-side architecture. My server never has to send a single line of html. The only load on it is sending and receiving snippets of JSON. It also makes it very simple to toggle a "static" flag if my server is under heavy load and simply serve everything from S3.

Answer 1

Static sites on S3 are easy and adding CloudFront CDN support is a breeze.

Because Cross-domain qualifications are based on the tuple {domain, protocol, port} so cross domain considerations do come into play.

However, the standard cross domain workarounds still apply.

Example techniques I've used to communicate cross domain via iFrame or otherwise:

0) jsonp

1) Access-Control-Allow-Origin:

2) setting document.domain to allow communication

3) window.postMessage

For hosting static assets on S3, JSONP is great, but probably comes into play most when it's your website off S3 and not the assets (whereas here, your website is S3 and your communicating to some other server).

Access-Control-Allow-Origin will get you all modern browsers and allows you to speak securely or not securely across domain. IE proposed and supports a different (and more secure) standard, but is expected to support CORS in IE10.

This is my opinion, but go the CORS route if you're coding for modern browsers.