[linksbro]

This is great, but only if your CDN is not also serving your HTML files! (static sites)

[adrianmacneil]

For a static site I expect you would be far less concerned about session hijacking or XSS if someone took over that domain. Even a complete single-page app should serve the initial html request from a trusted domain/server.