[toomuchtodo]

I've always seen issues pushing objects directly to S3 from a browser using CORS. YMMV.

[ceejayoz]

You can specify CORS headers for S3, or you can just use a standard form POST.

[toomuchtodo]

You still need a stub API for generating the signature to sign the upload requests to S3, correct?

[ceejayoz]

Not technically, but generally in practice. You can open things up permissions-wise but run the risk of folks uploading lots of large files. Keeping permissions locked down and doing a signature allows things like file size, location, etc. restrictions.