Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Check medium's localstorage if you use adblock
360 points by ev1 on Aug 29, 2020 | hide | past | favorite | 139 comments
If you have uBlock or similar, it appears medium logs all analytics pings into HTML5 LocalStorage and will keep retrying to send them (and apparently periodically change domains and subdomains to try and send them).

I had tens of thousands of entries in localStorage, wasting quite a bit of space, all of them at least 400-600 characters or more. Each time I scrolled it'd add a few dozen more in, to the point where devtools was freezing. Ridiculous.

Example: https://i.imgur.com/M4E3kqg.png

Medium is so chock full of anti-features this doesn't surprise me at all. I often find myself hunting for an archive link to read some article because I'm past my free article limit. It's absurd that I have to sign up for Medium to read some random blogger's article.

I miss the days where it felt like software was trying to make my life easier, nowadays my experience is mostly characterized by a constant struggle to avoid being taken advantage of.

> I often find myself hunting for an archive link to read some article because I'm past my free article limit. It's absurd that I have to sign up for Medium to read some random blogger's article.

Once upon a time I would have done the same (or written a script), but I’m past the point of putting in extra effort to read “some random blogger’s article”.

If a random blogger/writer/whatever wants me or anyone else for that matter to read what they wrote, posting it on Medium is absurd. If it’s good enough to stick your name on it, and it’s important enough for you to write it, own the work you put into it, put it somewhere that people can read it without jumping through hoops or dealing with Medium’s BS. It’s a crappy site.

All Medium needed to do was take words that look like this: http://motherfuckingwebsite.com/

And turn it into this: http://bettermotherfuckingwebsite.com/

And you know, RSS feeds and maybe some image hosting, or custom domains and some other premium shit. Like these guys did:




Every one of these old-time blog platforms are still around, all of them offer/offered different things, all of them take some words you spit out and throw a fancy template around them and if none of that satisfies you, there’s as many static site generators and “blog engines” as there is porn, and like porn, you can always produce and personalize your own.

A better example of constrained design for text articles is https://practicaltypography.com

(Though I prefer Valkyrie as the chosen font on that site—which was the default previously.)

And yet medium is more successful then "these guys".

Wordpress powers about a third of the web and Automattic has a significantly higher valuation than Medium. Maybe Medium's cooler, but it's not more successful.

But they aren’t more successful through the blog platform, instead by providing website foundation most companies use to create company websites, e-commerce websites and, a few of them, blogs.

> But they aren’t more successful through the blog platform, instead by providing website foundation most companies use to create company websites, e-commerce websites and, a few of them, blogs.

The blog platform provided the very foundation for their success because once people found out how easy it was, relative to the competition[0], to stand up an online presence using WordPress, you could "convert" the blog into an e-commerce website or a CMS or anything you can think of that needs to spit out HTML/CSS/JS, via the use of free/paid WordPress plugins.

[0] WordPress' competition included a wide variety of product categories apart from Movable Type, which used to be the dominant open source blogging platform. From dedicated CMS products like Joomla or Drupal or Plone, to dedicated e-commerce products like OsCommerce. WordPress fit nicely in the middle of these product categories due to its vibrant plugin community and focus on ease of use (at the cost of security), which is part of why it became popular.

Automattic isn't just wordpress. But even if wordpress is more successful, the fact that medium had any success at all, even though wordpress already existed proves that medium did something right.

WordPress had somewhere around $132 million in revenue last year, Medium had $12.2 million revenue.

WordPress started 17 years ago, Medium started 8 years ago.


>In 2012 the company said it was profitable and generated $45 million in revenue.

3 years? Medium was founded in 2012.


I see, I'll update my comment.

Is it though?

Pyra Labs (Blogger) was Evan Williams earlier adventure and Google acquired it in 2003. Evan Williams later went on to co-found Twitter and in 2012, founded Medium. I checked Crunchbase and as of 2016 they’ve taken on $132M across 3 funding rounds and as of at least last year, they are not profitable[1].

I remember the buzz around Medium back when it launched, Ev Williams was going to try and do something new and exciting with text and don’t call it a blog platform, it’ll be like Twitter but with longer form text and anyone could write for it, etc.

The reading experience was good, it did (and probably still does, but I don’t read anything on Medium anymore) have an interesting take on comments, and anyone could write for it. But it’s a blog platform. It is Ev Williams second crack at Blogger with some of the lessons of Twitter, and the conceit that by locking up enough authors into a kind of Yahoo-style lobster trap[2], they can sell themselves as the New York Times[3] by being a kind of YouTube for text.

The thing about YouTube is that videos are relative to text, expensive to encode, decode, store and distribute, and YouTube has an audience that goes to YouTube to watch video. Text can be had anywhere, and while you won’t find many people that hate to watch videos, there are plenty of people that do hate to read, and Medium as it was originally conceived and before the dickbars[4] started rolling in and they had to start hacking engagement was a love letter to the typed word. It was a really really good blog platform that didn’t want to think of itself that way, and that’s why it tried to flip the model and charge readers for access rather than charge writers for hosting or premium features.

Blogger was bought out, I actually found it amazing that TypePad[5] was still around, but the “blog engine” that powers it, Movable Type is still powering sites that you’ve probably heard of, daringfireball.net and Kottke.org being two of the more famous examples with the kinds of writers/bloggers I was advocating for: people who own what they have to say, every pixel of it.

WordPress is now the biggest fish in the blogging pond in mindshare, market share and revenue for blogging software. If it’s a blog and it’s not someone’s custom static site generator or Movable Type on the backend, then it is probably using WordPress either .com or .org.

[1] https://www.niemanlab.org/2019/03/the-long-complicated-and-e...

[2] http://ascii.textfiles.com/archives/2848 or https://web.archive.org/web/20200220000509/http://ascii.text...

“All I can say, looking back, is that when history takes a look at the lives of Jerry Yang and David Filo, this is what it will probably say:

Two graduate students, intrigued by a growing wealth of material on the Internet, built a huge fucking lobster trap, absorbed as much of human history and creativity as they could, and destroyed all of it.

Great work, guys.” -Jason Scott

[3] https://blog.medium.com/how-mediums-curation-distribution-an...

[4] https://daringfireball.net/2017/06/medium_dickbars

[5] I have lost track of where TypePad is relative to everyone else, even in its heyday it was the one platform I never signed up for because I had chosen Blogger, mind I quickly found Blogging wasn’t for me. It appears Movable Type is still actively developed, still sold, and Six Apart is now a Japanese company. TypePad has always been and still appears to be the WordPress.com to Movable Type’s WordPress.org

> And turn it into this: http://bettermotherfuckingwebsite.com/

This wastes so much vertical space. Honestly, http://motherfuckingwebsite.com/ is a lot better.

My personal preference is actually for http://motherfuckingwebsite.com/ but I had a point to make about what blogging platforms could theoretically bring to the table: stylesheets.

But the World Wide Web has been in a downward spiral ever since the img tag came along.

I meant horizontal space, sorry.

A while ago, I realized that I could just block all cookies for Medium.

Now I always have 2 free articles. ;) Let's see how long it lasts.

Medium is charging now? Isn't it all third party content offered to them for free? Or do the authors get to choose to charge at their discretion?

The authors get to choose, and are paid when they get views from paying customers.

I find opening Medium in an incognito window gets past the wall. Are they now plugging that loophole?

I doubt it. I've set Firefox to never allow cookies or site data from medium.com. Seems to have worked as I don't have any entries from them.

I should think incognito would do similar.

Don't think so, that's my tactic, too

fwiw opening the article in an incognito tab usually does the trick to get past the article limits. That said, you're right on the money about how badly it sometimes seems that medium doesn't want me to ever use their service

You are the product. We need to change that business model.

I find that medium is even moving articles behind paywall even without consent from author. It was not happening earlier. For example - Look at Netflix Medium blog https://medium.com/@NetflixTechBlog

There are few stories which are behind paywall. Do you think Netflix would have marked them explicitly behind paywall to earn money from blog?

Last I checked the Medium paywall is opt-out on each post you make. Quite easy to accidentally leave it checked.

interesting, so medium is becoming another silo. I knew they were user hostile web actor but their recent moves are horrible.

Let's take this for a spin. Even if you cross post, then if someone tries to read it on medium first and encounters paywall, closes it, then finds your article on your blog and consciously or subconsciously this reader would already have a negative emotions about it and could easily loose patience before reading your whole post. Have you gained anything? no, you have potentially lost a long time reader.

I use Medium (also dev.to) only to cross post my weblogs.

I make sure to uncheck the option that may make my post exclusive in the future, and I also put canonical link[1]. The main goal is both SEO, and options for readers. If they prefer reading on Medium app or RSS or Dev.to than in my blog, so be it!

[1]: https://help.medium.com/hc/en-us/articles/360033930293-Set-a...

I’m currently cross posting medium and hashnode but you’ve got a point there. Maybe time to say goodbye to medium. I’m not using their distribution/paywall anyway so all medium is to me is a really nice editor.

One of the first addons I install everywhere: https://makemediumreadable.com/

>I often find myself hunting for an archive link to read some article because I'm past my free article limit. It's absurd that I have to sign up for Medium to read some random blogger's article.

Have you tried deleting the site's cookies and refreshing? Clicking on the lock in the address bar > Cookies > Remove.

That's a fair position. I don't completely agree, but I certainly empathize. It could also be said of multiple perspectives related to software from employment, coworkers, user experience, data, social engagement, and so forth. It seems there is a tremendous amount of potential exploitation for undisclosed motives.

Is there a chrome extension that auto opens medium articles in archive view after clicking link?

I would argue that the anti-feature is the existence of local storage. Medium is just a symptom of the underlying issue, which is that browsers do not care about privacy.

No, I think the anti-feature is that browsers don't give users good tools to see when things are being stored in storage (cookies, localstorage, etc.), what is being stored, whether it should be stored, and when it should expire.

I think this stuff should have a first-class UI component in 2020, not be hidden away in a submenu in the devbar that's frankly even annoying to deal with as a developer.

By pitching cookies only, you're saying that websites should only be able to store stuff that the browser should have to reflect back to the server through http headers. I don't think the constraint makes sense beyond wasting bandwidth for settings that should stay local.

Just look at this HN submission. We shouldn't need an HN submission to know this about the websites we visit. Browsers are failing us here. If a website is abusing our localstorage like this, it should be obvious (for the people who care). As it currently stands, browsers enable bad actors to do bad things silently with zero consequence beyond the few nerds who happen to notice it.

As an example, I'm reminded of the new iOS feature(?) that shows when the clipboard is being accessed which spurred a bunch of "wtf is $app doing with my clipboard?" last month. That's what I think setting cookies and localStorage should be like. Or at least a way to opt in to that behavior without throwing the baby out with "disable localstorage".

Yup, you're on the money here. In fact browsers should make accessing the data stored by sites and modifying their permissions drop-dead intuitive, even for non-tech users and those with more knowledge should be afforded further knobs to tweak. This kind of UI might be a bit hard to design and require some thought, but I think it is quite possible, and I find it surprising that even after all these years, the dialogues and preferences dealing with examining and controlling the storage and execution of websites and apps to be poorly thought out, obscure and very clunky.

I can understand why Chrome might not want to improve in this regard as its parent company's interests directly conflict with more user control of web data, but amazingly, if anything, Firefox's settings for auditing and restricting websites is even worse. And none of the browsers, AFAIK, have taken the initiative in this area and tried to really differentiate themselves.

I suspect they think no one except a few tech users will be interested in these knobs, but the thing is, if you make them prominent, easy to use, understand and intuitive, I bet a lot more people will start using them.

Erm, how should ppl keep Frontend authentication tokens etc between refreshes without something like local storage?

And how would we make offline webapps which don't store anything on servers?

> Frontend authentication tokens etc

Cookies or use tls authentication.

> And how would we make offline webapps which don't store anything on servers?

Don't make webapps in the first place.

If the choice is between a webapp and a native app the webapp is going to give users more control and a choice of the platform they want to view it on.

I may be in a minority but I still want to run on desktop linux with an ad blocker or vimium.

Webapps give me that. Native apps don’t.

> the webapp is going to give users more control

You can't modify the webapp nor can you refuse to update it.

Of course you can modify the webapp. You are running the source code in your browser.

Even if it’s minimised you can still modify it.

An ad-blocker in the form of something like a pi-hole should work with native apps, no?

Only when you are connected through your pi-hole.

Also, when pi-hole and mitmproxy are our only options to know what our device is doing and to block things we don't want, then we've lost. The web browser is basically the last bastion of control that we have with its devbar and networkbar and all. Blocking content/requests is something our devices should be able to do themselves.

It's a miracle of history that we have the browser, and it's hard to imagine us having it had it been invented today. We need to fight to keep it, not dismiss it with "ugh web tech amirite?" while we regress to native app black boxes as our only option.

A pi hole protects your whole network. What you are asking for sounds more like a traditional firewall that I think every computer still supports.

Yeah let's download desktop apps! They all have permission to upload your entire documents folder to the internet.

No applications installed through the Mac App Store have permission to read your documents unless you explicitly allow that. And you can revoke that access at any time by going to System Preferences… > Security & Privacy > Privacy > Files & Folders.

> They all have permission to upload your entire documents folder to the internet

They do not need to, and unlike "webapps" there isn't a remote server that can change the code that you are running at any moment.

Your response entirely fails to address the parent's concern about security. It's like responding to a RCE in your backend with "yeah it's there but we'll trust the users to not use it"

I do not understand your example. It would not be the user triggering the RCE but rather a 3rd party. In addition I do not see how it fails to address their concern.

I am about to implement a privacy friendly base knowledge app, and local storage is a cornerstone for doing fast full text search.

https://github.com/iamadamdev/bypass-paywalls-chrome If you use Chrome or Firefox this link might be useful for you.

This plugin injects Google tracking if you're using Chrome: https://github.com/iamadamdev/bypass-paywalls-chrome/blob/45...

Wouldn’t you agree that it’s really valuable to know if people actually read the article, how far and which parts?

No. I'll take an opposing viewpoint. It's not "really" valuable, it's marginally valuable. If your articles aren't yahoo-style clickbait, anything you'd do with that data would just make your future articles less authentic. Alternatively, is your collection and utilization of that information worth invading the privacy of your readers? The printed version of The Economist continues to deliver a fantastic product yet they have no idea how far into each article (or even the entire magazine) I get each week. They simply publish detailed, excellent articles which draw me back, week after week. Why should online articles be any different? An incisive author who has put in the effort to prepare a good, thoughtful article knows it is so before publishing.

Or one can publish thoughtless, banal articles and collect lots of statistics on how long it takes your readers to figure out that the article is a waste of their time.

Distinguishing between the two is precisely what we were taught throughout grade school.

You have absolutely nailed it. The cruft medium provides and calls insight is only valuable to people who want to work out how trick their audience into reading further in articles where they deliver no value.

An interesting note on The Economist is that their digital and print verions are priced the same, despite the higher cost of printing and delivering the printed version. The ads in the print version is simply worth more compared to the digital version.

I’m still not convinced that online ad tech adds nearly as much value as the tracking industry wants us to think. Sure, it’s useful to know if you reader can afford the product wish to promote, but The Economist actually knows roughly what you income is, based on your shipping adress alone, while geo-location online still consistantly place me in the most expensive city in Denmark, but I live in an area where income is average at best.

Are you kidding? No of course not.

You as a reader would rather prefer that the publisher doesn’t spy on you. Would you feel comfortable reading a newspaper whilst the editor looked over your shoulder all the time ? You might want to do that as a paid testing panel but not voluntarily.

If you wrote an article, and you’re mediocre or spammy, of course you’d get off on such metrics to please yourself, to get validation. Good writers would not care as much.

It's like saying that as a McDonald's customer, you'd prefer they did not charge you for food and you could just get it for free, without having to follow the rules. In fact, McDonald's has a lot of anti features: having to wait in line, greasy food, having to pay for the food and inability to bring outside food and drinks.

Businesses need to earn money and knowing their customers is part of this.

“Knowing your customer” is not equivalent to performing surveillance on your customers. People knew their customer for centuries before we could tell that a random unwitting user spent 1.6 minutes on the page and exactly where they put their mouse cursor while they were on it.

It would be like that if McDonald's started to put surveillance systems into their bags to learn about how you consume their burgers and fries once you've walked out of the restaurant.

Knowing your customer is important. Knowing everything about your customer is intrusive.

It's not like that at all.

One of the things I do is run a small B2B publishing company. We turn over a modest six figure dollar amount each year with a tiny tiny team. We are recognised as one of the leaders in our niche.

The thing that matters to us is whether we create great content, not whether someone stopped reading at 54% of the way through a particular article. Our audience appreciates that our content is authentic, informed and honest. And I don’t mean “authentic” like social media types mean when they say things like “always strive to be authentic!” When you start telling editorial staff to write differently because the stats say something about one particular article you are in a race to the bottom. Medium is an awful platform that rewards badly written click bait targeting stupid people. It’s a blight on the face of the web.

Not at all. Why would that be valuable to me as a reader?

Do whats best for the user. Does the user want that? No.



I am honestly baffled at why anyone uses medium, I just flatly refuse. Their stance on binding arbitration, and that in any disturbed claims that I agree to pay for the legal defense but give them total control over the defense.

These terms are growing ever more common, and I certainly use services with similar terms. But I mean this is a fucking blog site, it take very little time and effort to throw up a WordPress site.

their demands for this service, far out way its value, at least to me anyway.

I think people have gotten far too dependent on sell your soul for bread crumb services.

It's probably because of the good SEO the articles written there get: I published a project on GitHub, then an article on my personal blog about it (with a back link from the repo itself), then an intro article on medium with a link to repo and a "read more" toward my blog post. Then I submitted the GH repo and/or my blog post to some reddit threads.

Now, guess what: when googling for _the knests stack_ in the first few weeks, the top result was the preview article from medium. Even now, it's the second result, showing up above reddit or my blog post.

If you hadn't posted the preview on Medium it wouldn't get any SEO. Your problem is of your own making.

A link's position in a Google search is basically a worthless measure anymore. Every Google user ends up microtargeted such that the ordering of results or even which results are displayed is rarely consistent.

Use Google Search Console and the data there is far from worthless. Average position, impressions and clicks for all the keywords visiting your site.

The GP didn't reference Google Search Console. They mentioned their site's position on their microtargeted search results.

Which is a worthless metric since it won't be the same depending on a user's preferences, history, or location. It may be that their site averages as the top hit for a term but that's not the same as saying it's the top or second hit.

They're making claims about Medium's SEO chops with a metric that doesn't back up the claim.

I had an idea for an article, didn’t really care about where to put it and I decided to give Medium a shot. I didn’t know it would be that bad.

There’s no way to turn off auto-formatting in Medium editor. No way at all - support confirmed it. Dashes, quote marks and ellipses in your article will be placed only in a way Medium wants them to be. So, for example, if you decide to write in a language other than English and want to surround your dashes with spaces — like this — according to traditions of this language, there’s no way to do it in Medium editor. Even if you try to do something smart with clipboard, your efforts will be overwritten on save.

This is a clear example of a software that tries to be smarter than its user and fails.

Medium is much better without JavaScript. No article view limits, no creepy showing you your Google account and asking you to log in, nothing. And of course, no messing with your LocalStorage.

It does remove some images, but ok mobile, that is almost a feature in itself.

In Chrome, you can do this with chrome://settings/content/javascript which lets you blacklist JS on certain domains.

uBlock Origin can also disable JavaScript on domains. I discovered this recently and were pleasantly surprised that this was added.

You can even disable javascript by default on uBlock, a la uMatrix. I've turned it on on my lower-performance MacBook Air, and it's made web browsing so much more pleasant.

Give uMatrix a try if you want to get even more granular.

I wish Safari would let you do this.

Googles one tap is sooooo creepy. I have it blocked in ub origin. I’m always afraid of accidentally logging in - probably something they hope for.

As soon as I see Google's sign in I disable javascript for that domain. It's like a glowing red sign that website doesn't care about my privacy at all.

Arguably the mother of all dark UI patterns, and pretty tangible proof that Google's "Don't be evil" times are long gone.

Agreed. It's on Pinterest too. It's way too jarring UI to make it seem like a website knows all of your Google accounts, it amazes me they thought that dropdown menu that was the right move.

Interesting. Something like this can be mitigated by blocking localstorage access or using container-like solutions such as Firefox containers[0][1].

A nice project to work on would be to write a Chrome and Firefox extension that could watch, notify, and store localstorage and other tool usage on a per-site basis with an admin panel for whitelisting or blacklisting sites, similar to how uBlock functions.

Personally I run a few extensions that attempt to block or obfuscate fingerprinting attempts by sites inspecting system fonts, canvas rendering, etc. Some sites break altogether with these extensions.

[0]: https://addons.mozilla.org/en-US/firefox/addon/multi-account...

[1]: https://addons.mozilla.org/en-US/firefox/addon/temporary-con...

Here is one way to clear localStorage without using Javacript, Add-Ons or Extensions:


This response header can be added with a localhost-bound proxy server like, e.g., haproxy:

     http-response add-header Clear-Site-Data *
Of course, the simplest solution is to just turn off JS before visiting medium; that should prevent any use of localStorage. I have never needed JS to read medium; it's just text. Text-only browser like links works fine.

Or, just block it, as you're using Firefox:

1. Open about:preferences

2. Go to Privacy & Security

3. Under Cookies and Site Data, click on 'Manage Exceptions'

4. Enter medium.com, click Block and then Save Changes.

Is there a way to disable Site Data globally for all sites?

By using a proxy, I disable Site Data for all sites and if I need it for a specific site I can add an exception.

It seems like Firefox, Chrome and probably others take the opposite approach. The default policy with these browsers is to enable Site Data globally for all sites. "Manage Exceptions" appears to refer to manual changes for every individual site that are required to deviate from this default "Go ahead and collect, store and track" policy.

Sometime over a year ago, I finally got tired of medium's shenanigans, so I threw together a Q&D TemperMonkey script to just remove the temptation.

It's nothing complex, just looks for links to medium.com and removes them from the page.


Thanks for the heads up. I looked at mine and it seems like the major of the events in localstorage are getting sent successfully as my adblocker isn't blocking the medium activity or batch API calls, however the lightstep events are blocked and stuck in my localstorage.

As an aside, I'm appalled they'd do this as I'm a paying customer of their service, but as an engineer I have to respect the work & ingenuity that went into this solution.

It's not exactly that hard to imagine. I've thought about a solution like this for 2 separate products across 2 different companies, and it was separately rejected for ethics concerns both times. You'd be surprised what company decided to reject it in the first case. This is an abuse of web APIs to achieve targeted data monitoring of users and probably a severe violation of GDPR.

Any European residents want to confirm this is happening with them?

Can confirm that this is the case for me as well. (EU resident.)

Have you considered filing a GDPR complaint? I would really encourage you to do so.

I found this: https://ec.europa.eu/info/law/law-topic/data-protection/refo...

You should use the Euro judicial framework to get resolution for this 100%.

Americans like to complain about European legislation but this is a perfect example of government powers done right! (I'm a dual American/French citizen living in the US).

I've just spend good 15 minutes on it and in case of France it seems far from trivial. It doesn't look like it's a matter of sending a single e-mail.

Can you kindly opine? I am not in France at the moment so I'd love to learn what issues you are facing. Sorry to waste your time but I think this is a critically important topic if we want to preserve our data, privacy, and related rights into the future.

With the default settings on firefox (with the built in tracking protection on) plus ublock origin, I have nothing in local storage from Medium. I do have 6 cookies from medium.com and 2 from elemental.medium.com.

Not a heavy Medium reader though, I just click when something interesting shows up on HN.

www.bbc.com is my highest user of local storage, with 24 Mb.

I had half that. My worst offenders was transferwise (60mb). Apart from that and a couple of technical websites that I thought were justified, most others were under 30mb. It's still a lot of stuff to store though. And to think that we used to be limited to a couple of cookies...

I use this extension for Firefox: https://addons.mozilla.org/en-US/firefox/addon/temporary-con...

medium.com is one of the domains that I have set to always open in a temporary container.

In Firefox, you can prevent it from using site data and cookies. This also has the advantage of reseting the count of the number of articles that you can read when you close the tab.

1. Open about:preferences

2. Go to Privacy & Security

3. Under Cookies and Site Data, click on 'Manage Exceptions'

4. Enter medium.com, click Block and then Save Changes.

You can use localStorage.clear() in the dev console to clear this info and chrome://settings/content/javascript to blacklist JS on a domain in Chrome.

I've never relied on uBlock Origin alone to block trackers and ads. I always clear cookies (and local*storage) using Cookie AutoDelete. [1] You can configure this extension to clear cookies as well as local storage a specific duration after closing a tab or clear them all manually. You can also select specific sites whose cookies should not be cleared.

I also use tracker blockers like Privacy Badger. [2]

That said, I avoid visiting Medium links as much as I can. The whole experience is user hostile in many ways.

[1]: https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...

[2]: https://privacybadger.org

Couldn’t browsers ask before using local storage? Then I can approve it for sites where I believe it would make a positive difference (Once/Always/Never), and with an option to clear when the browser is closed. Bonus points if I can preview what’s being stored.

There are many legitimate uses for localStorage, e.g. see the API key field at https://beanstack.io (disclosure: a site I helped build): it will remember the value for you if you enter a value and hit submit. If you then, upon clicking submit, had to click through a browser pop-up asking if you want to let the website store data in your browser, that would feel like we're indeed tracking you when really what we're doing is trying to make your life easier without doing tracking. We could have used a cookie, but why should we if we can use localStorage which is privately yours and not sent to the server with every request?

Adding a warning upon localStorage would be like adding a warning upon setting cookies. The banners that websites add for setting non-essential cookies are annoying enough already without having to click past browser permission screens for essential cookies as well.

Also note that privacy laws or "cookie laws" don't ever mention the word cookie. If you are being tracked using localStorage, canvas fingerprinting, ETags, etc., they have to disclose the tracking. Not the method, I think, but what data they are collecting, for what purpose, with which retention period, and what their legal basis is (e.g. "we collect your address on the basis of fulfilling the contract to ship your package" or "we track you on the basis of consent"). LocalStorage is not something to be more or less afraid of than cookies, etags, etc.; the browser doesn't ask for those either, and I personally think that's better.

I use "Quick Javascript Switcher" on Chrome and it's amazing. Turning off javascript on certain sites improves usability by a ton.

More people need to be publishing on federated platforms like WriteFreely and Plumo so we don't have this sort of lock-in and readers can use existing fediverse accounts to comment and boost without signing up for and into these sorts of services.


It doesn't seem to do that for me, it instead just uses these two endpoints instead of the "report" endpoint to send the same data.



These aren't blocked on the default uBlock Origin setup it seems, and the batch endpoint seems like a possibly bad idea to block.

After blocking them, the behavior of filling up local storage can be seen.

The people who write this code need to fucking smarten up.

If you're being blocked don't try to circumvent it. Minute scroll and mouse movement data is biometric data.

Lets face it, localstorage is just cookies with extra space for more chips. Controls around cookies need to apply to localstorage as well.

I'd really like to be able to edit cookie lifetimes on a site-by-site basis. Overlap where cookies are reused by multiple sites. Plenty of cookies should be discarded a minute after last use. Others should stay around because they're useful.

While we're at it, just noticed that weather.com had 114 Mb stored, wtf?

Must have been cloud data.

How do I check LocalStorage in Firefox? I assume it is the 'Manage Data' button under 'Cookies and Site Data' section of the 'Privacy & Security' tab under settings?

Press F12 on medium, Storage tab, left side.

I'm using Cookie AutoDelete extension (along with uBO) on Firefox, which also deletes LocalStorage. Just have checked up, I have only 5 cookies for medium.com and no LocalStorage.

Related but you should be doing this regardless. Ctrl+Shift+Del and clear everything since forever ago. I do "Ctrl+Shift+Del, Enter" several times a day and use 2 browsers: stuff I'm logged into and everything else. Sometimes 3 browsers to segment logged in accounts.

P.S. If you have Chrome installed (on Windows) set this folder "C:\Users\*\AppData\Local\Google\Chrome\User Data\SwReporter\" to deny all access for each group and user.

Despite the shortcomings medium continues to be one of the top domains posted on hn https://news.ycombinator.com/from?site=medium.com

submitted, yes, but as time goes on it signals more and more the poor quality of those articles. Anecdotally it feels mediums articles are up-voted less now then they were in the beginning, if anyone has stats on it I would be happy to see if that's true.

I've created an extension to block links to domains you dislike, I've got mine set up to block Medium links.


Can't you just do this with uBlock Origin? Something like


Maybe! My extension offers a different set of features. It shows an angry emoji next to the blocked links, and lets you click on them. When you click on them, you're prompted to confirm that you want to follow the link, alongside a reminder of why you blocked the domain.

To check in Chromium:

1. Press F12 to open the Developer Tools 2. Inside the Developer Tools, Click the "Application" tab on the top of the pane. 3. You should see "Local Storage" on the left side of the pane.

Is there a way to disable WebGL, WebRTC and localStorage on browsers for good?

Firefox lets you turn off all 3 independently. This breaks some sites that demand device fingerprinting, though.

I wonder if there is any api that allows you to disable them per site (similar to how umatrix/ublock origin can block cookies/js per site)

If you disable JavaScript for Medium, it's fine. You still have access to the article in my experience.

Medium is garbage, and better options are available now, like SubStack. Here is example article:


Someone should write a fake event generator that clutters their analytics

This is why NoScript is complementary to uBlock.

You can block JavaScript with uBO[1], with the added ability vs. NoScript of being able to create rules on a per-site basis.[2]

* * *

[1] https://github.com/gorhill/uBlock/wiki/Per-site-switches#no-...

[2] https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium...

How can I move my blog from Medium to Blogger?

Medium is trash.

MS Edge/Win10, Europe, "do not track", cookies from medium.com blocked and uBlock origin - doesn't seem to be happending on my system but of course that doesn't mean anything if it's geo-targeted. Also gets rid of the paywall, for now.

On Android I use this app to bypass the paywall


The idea that a website can store things locally on my machine -- especially without my knowledge or permission -- is !@#$ing absurd. The idea that a different website can then access that data is beyond infuriating.

Doesn't that come under the browser sandbox? Cross domain access shouldn't be possible.

Hey, have you ever heard of cookies?

Yeah, I'd be pretty mad if I had to log into a website every time I opened it or be blinded by a white screen at night when I toggled the dark theme last time I visited. There's so many good uses for storage to make things behave as one would expect. And it'd be a lot of friction to have permission dialogs for things as basic as cookies or localStorage.

I agree cookies have proven to be a largely pro-user feature over time but do you remember the backlash from techies and reporters alike when browsers first started implementing cookies back in the 90s?

Yup. Cookies are neat little chunks of things that a website puts on my computer that I then transmit back to it.

What is localstorage? Localstorage isn't little nor is it necessarily transmitted back.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact