The cname is just a normal domain. That DNS entry is a real entry. The CNAME is real. You can go directly to that address too. If someone else knows the cname destination they could go to it or cname their own domain to it literally like any other domain.

The only specially handling is cloud flare has a mapping from subdomain to your private network via it's agent and that's it.

I don't get what's the wrong or complicated about this.

I gave you the benefit of the doubt for a moment, but as far as I can tell, you are incorrect for practical purposes. I went ahead and re-checked everything to make sure. Let's see:

1. I have a cloudflare domain with a working tunnel (managed through Access). In DNS Records, it shows as a CNAME to [redacted].cfargotunnel.com. But:

$ dig [redacted].cfargotunnel.com

; <<>> DiG 9.10.6 <<>> [redacted].cfargotunnel.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5851 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

and no records are returned. Interestingly, it's an empty result, no NXDOMAIN.

2. I have multiple subdomains that appear to be CNAMEs to the same [redacted].cfargotunnel.net. And yet they are entirely different sites that just happen to share an instance of cloudflared at the origin. The sites aren't even served at the same origin address!

They are different "Published Application Routes". They don't even have the same protocol!

2. The tunnel above is on a domain with "Full (strict)" TLS. But traffic to the origin emerges from cloudflared in cleartext.

This whole configuration schema is nonsense. What should happen if a CNAME points at a tunnel that doesn't have a route for that application? What if a tunnel has a route for an application that is CNAMEd somewhere else?

I imagine that what's going on is that Cloudflare internally has a rule that traffic with a cfargotunnel.com origin goes out their Tunnel infrastructure instead of out to the normal Internet. And Cloudflare applies the same JWT that it would apply if the request went out via the normal Internet, and cloudflared verifies that JWT if "Enforce Access JSON Web Token (JWT) validation" is on (maybe the request is literally TLS wrapped inside the cloudflared tunnel? I've never tried to inspect what's going on inside). And then cloudflared unwraps everything? And if you configure cloudflared wrong, then it's totally insecure?

I've seen stores advertise "we pay your sales tax" like furniture outlets. Wouldn't this allow for legal priced items?

If someone demands exact change is it allowed to give them more? What if you don't have the exact change?

Apparently I was wrong about that part. Only the part about cents still being legal tender was correct. So you can pay the exact amount, but not demand the exact change.

You could always refuse service, I guess.

Helm is not official or blessed or anything, just another third party tool people install after install k8s.

Safe isn't the same as economically powerful.

Look at Bhutan with their Gross National Happiness as an alternative.

> It feels like screenshots have become the de facto common denominator in our mobile computing era,

Google/Apple have taken notice. Both have recently redone their full-screen post-screenshot UI to include AI insights / automatic product searches / direct chat with Gemini/LLM / etc.

Its true everyone uses screenshots to save things they are interested in or want to look up / search more of / save for reason and this UI is the perfect place to insert themselves.

Unless you are buying the absolute cheapest package of cheese slices it will still be real cheese. I'm not even sure if I've ever even seen a Kraft or Valveeta sliced cheese product, only lesser no-name brands. I've been am American all my life and do not buy process cheese product as it does take like plastic, but actual American cheese is delicious on burgers and grilled cheeses and a few other select meals.

What's crazy is Europe allowing 5% non-milk-fat/vegetable fat products to be called "ice cream". Thankfully in America it has to be 10% milkfat at least.

The hero image for Kraft Singles on Wikipedia clearly states “Pasteurized prepared cheese product” https://commons.wikimedia.org/wiki/File:Kraft_Singles.jpg

It is a sleight of hand that it says American, but it specifically does not say American cheese as a single phrase.

You are looking at the wrong product. This one[0] does say "American cheese" as a single phrase. And the slices are not individually wrapped, as they don't need to be.

[0]https://www.kraftheinz.com/kraft-deli-deluxe/products/000210...

Kraft Singles and their Velveeta equivalent are what is available abroad, not the Kraft Deli Deluxe. 40 percent of American households in 2019 bought Kraft Singles.

You may not like it, but it is the public face of American cheese.

I might say the 60% that didn’t buy Kraft Singles might be the public face of American cheese considering it’s the larger number?

There’s no data to suggest that actual fancier American cheese sells more than heavily marketed slices, especially since a huge chunk of the remaining population, and I would say most, is not consuming either “American cheese” or “American cheese product” with sodium citrate.

Chrome (at least?) solves this via Text Fragments[0] which are a pure client side thing and requires no server or site support.

This URI for example:

https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/...

Links to an instance of "The Referer" narrowed down via a start prefix ("downgrade:") and end suffix ("to origins").

These are used across Google I believe so many have probably seen them.

[0] https://developer.mozilla.org/en-US/docs/Web/URI/Reference/F...

Are you saying your parent post was an AI summary? There is original speculation at the end and it didn’t come off that way to me.

re: storing data in keys

FoundationDB makes extensive use of this pattern, sometimes with no data on the key at all.