AFAIK, if content is served over HTTPS, CDN has no way to intercept that data.
I'm no expert, but t his is what theymos wrote (and there are more interesting posts in that topic):
What I meant is that Cloudflare can see your unencrypted password when you log in. It's still encrypted from the real server to Cloudflare and from Cloudflare to you. So it's not blatantly insecure except in that Cloudflare is very probably an NSA honeypot