You can publish almost any kind of content (limited by the terms of service, of course), but there are some technical limitations in place via a content-security policy which is applied to all pages sites. Our full CSP header is:

  default-src 'self' 'unsafe-eval' 'unsafe-inline';
  sandbox allow-forms allow-orientation-lock allow-pointer-lock allow-presentation allow-scripts allow-same-origin;

The main consequence of this is that all resources must be served from your domain — you cannot use a CDN or embed third-party content.

It also disallows forcing links to open in new tabs (target="_blank"), as this is equivalent to opening a pop-up in the browser security model.

The published tarball is limited to 1 GiB in size, after decompression. Any entries other than regular files are ignored (such as symlinks).

Connections from CloudFlare’s reverse proxy are dropped. Do not help one private company expand its control over all internet traffic.