[marshray]

Any time you serve raw user-supplied files from * .[your site].com you take on some risk.

Older browsers in particular just love to treat everything under the same second level domain as coming from the "same origin". Browsers even have a hardcoded list of country codes and exceptions to prevent "example.co.uk" from setting cookies for all of "*.co.uk".

It's a total security mess and ICANN is not helping the situation by selling new gTLDs.

[a3_nm]

Err... Google can just use a custom domain (e.g. "googleusercontent.com" that they already use) to serve user-supplied files rather than stopping the service altogether, so I guess this is not the issue here.

[marshray]

Do you have any idea what it takes to (securely) bring up a new domain at that scale?

Hint: Take a look at the Subject Alt Names on some of the Google SSL certs sometime.