Tell HN: Check medium's localstorage if you use adblock
If you have uBlock or similar, it appears medium logs all analytics pings into HTML5 LocalStorage and will keep retrying to send them (and apparently periodically change domains and subdomains to try and send them).
I had tens of thousands of entries in localStorage, wasting quite a bit of space, all of them at least 400-600 characters or more. Each time I scrolled it'd add a few dozen more in, to the point where devtools was freezing. Ridiculous.
Example: https://i.imgur.com/M4E3kqg.png
143 comments
[ 4.8 ms ] story [ 253 ms ] threadIt's nothing complex, just looks for links to medium.com and removes them from the page.
https://gist.github.com/RichardVasquez/5d46ffe01053162562a79...
A nice project to work on would be to write a Chrome and Firefox extension that could watch, notify, and store localstorage and other tool usage on a per-site basis with an admin panel for whitelisting or blacklisting sites, similar to how uBlock functions.
Personally I run a few extensions that attempt to block or obfuscate fingerprinting attempts by sites inspecting system fonts, canvas rendering, etc. Some sites break altogether with these extensions.
[0]: https://addons.mozilla.org/en-US/firefox/addon/multi-account...
[1]: https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
As an aside, I'm appalled they'd do this as I'm a paying customer of their service, but as an engineer I have to respect the work & ingenuity that went into this solution.
Any European residents want to confirm this is happening with them?
I found this: https://ec.europa.eu/info/law/law-topic/data-protection/refo...
You should use the Euro judicial framework to get resolution for this 100%.
Americans like to complain about European legislation but this is a perfect example of government powers done right! (I'm a dual American/French citizen living in the US).
I miss the days where it felt like software was trying to make my life easier, nowadays my experience is mostly characterized by a constant struggle to avoid being taken advantage of.
You as a reader would rather prefer that the publisher doesn’t spy on you. Would you feel comfortable reading a newspaper whilst the editor looked over your shoulder all the time ? You might want to do that as a paid testing panel but not voluntarily.
If you wrote an article, and you’re mediocre or spammy, of course you’d get off on such metrics to please yourself, to get validation. Good writers would not care as much.
Businesses need to earn money and knowing their customers is part of this.
Knowing your customer is important. Knowing everything about your customer is intrusive.
Or one can publish thoughtless, banal articles and collect lots of statistics on how long it takes your readers to figure out that the article is a waste of their time.
Distinguishing between the two is precisely what we were taught throughout grade school.
I’m still not convinced that online ad tech adds nearly as much value as the tracking industry wants us to think. Sure, it’s useful to know if you reader can afford the product wish to promote, but The Economist actually knows roughly what you income is, based on your shipping adress alone, while geo-location online still consistantly place me in the most expensive city in Denmark, but I live in an area where income is average at best.
The thing that matters to us is whether we create great content, not whether someone stopped reading at 54% of the way through a particular article. Our audience appreciates that our content is authentic, informed and honest. And I don’t mean “authentic” like social media types mean when they say things like “always strive to be authentic!” When you start telling editorial staff to write differently because the stats say something about one particular article you are in a race to the bottom. Medium is an awful platform that rewards badly written click bait targeting stupid people. It’s a blight on the face of the web.
I should think incognito would do similar.
And how would we make offline webapps which don't store anything on servers?
Cookies or use tls authentication.
> And how would we make offline webapps which don't store anything on servers?
Don't make webapps in the first place.
They do not need to, and unlike "webapps" there isn't a remote server that can change the code that you are running at any moment.
I may be in a minority but I still want to run on desktop linux with an ad blocker or vimium.
Webapps give me that. Native apps don’t.
Also, when pi-hole and mitmproxy are our only options to know what our device is doing and to block things we don't want, then we've lost. The web browser is basically the last bastion of control that we have with its devbar and networkbar and all. Blocking content/requests is something our devices should be able to do themselves.
It's a miracle of history that we have the browser, and it's hard to imagine us having it had it been invented today. We need to fight to keep it, not dismiss it with "ugh web tech amirite?" while we regress to native app black boxes as our only option.
You can't modify the webapp nor can you refuse to update it.
Even if it’s minimised you can still modify it.
I think this stuff should have a first-class UI component in 2020, not be hidden away in a submenu in the devbar that's frankly even annoying to deal with as a developer.
By pitching cookies only, you're saying that websites should only be able to store stuff that the browser should have to reflect back to the server through http headers. I don't think the constraint makes sense beyond wasting bandwidth for settings that should stay local.
Just look at this HN submission. We shouldn't need an HN submission to know this about the websites we visit. Browsers are failing us here. If a website is abusing our localstorage like this, it should be obvious (for the people who care). As it currently stands, browsers enable bad actors to do bad things silently with zero consequence beyond the few nerds who happen to notice it.
As an example, I'm reminded of the new iOS feature(?) that shows when the clipboard is being accessed which spurred a bunch of "wtf is $app doing with my clipboard?" last month. That's what I think setting cookies and localStorage should be like. Or at least a way to opt in to that behavior without throwing the baby out with "disable localstorage".
I can understand why Chrome might not want to improve in this regard as its parent company's interests directly conflict with more user control of web data, but amazingly, if anything, Firefox's settings for auditing and restricting websites is even worse. And none of the browsers, AFAIK, have taken the initiative in this area and tried to really differentiate themselves.
I suspect they think no one except a few tech users will be interested in these knobs, but the thing is, if you make them prominent, easy to use, understand and intuitive, I bet a lot more people will start using them.
There are few stories which are behind paywall. Do you think Netflix would have marked them explicitly behind paywall to earn money from blog?
Let's take this for a spin. Even if you cross post, then if someone tries to read it on medium first and encounters paywall, closes it, then finds your article on your blog and consciously or subconsciously this reader would already have a negative emotions about it and could easily loose patience before reading your whole post. Have you gained anything? no, you have potentially lost a long time reader.
I make sure to uncheck the option that may make my post exclusive in the future, and I also put canonical link[1]. The main goal is both SEO, and options for readers. If they prefer reading on Medium app or RSS or Dev.to than in my blog, so be it!
[1]: https://help.medium.com/hc/en-us/articles/360033930293-Set-a...
Once upon a time I would have done the same (or written a script), but I’m past the point of putting in extra effort to read “some random blogger’s article”.
If a random blogger/writer/whatever wants me or anyone else for that matter to read what they wrote, posting it on Medium is absurd. If it’s good enough to stick your name on it, and it’s important enough for you to write it, own the work you put into it, put it somewhere that people can read it without jumping through hoops or dealing with Medium’s BS. It’s a crappy site.
All Medium needed to do was take words that look like this: http://motherfuckingwebsite.com/
And turn it into this: http://bettermotherfuckingwebsite.com/
And you know, RSS feeds and maybe some image hosting, or custom domains and some other premium shit. Like these guys did:
https://www.blogger.com/
https://wordpress.com/
https://www.typepad.com/
Every one of these old-time blog platforms are still around, all of them offer/offered different things, all of them take some words you spit out and throw a fancy template around them and if none of that satisfies you, there’s as many static site generators and “blog engines” as there is porn, and like porn, you can always produce and personalize your own.
The blog platform provided the very foundation for their success because once people found out how easy it was, relative to the competition[0], to stand up an online presence using WordPress, you could "convert" the blog into an e-commerce website or a CMS or anything you can think of that needs to spit out HTML/CSS/JS, via the use of free/paid WordPress plugins.
[0] WordPress' competition included a wide variety of product categories apart from Movable Type, which used to be the dominant open source blogging platform. From dedicated CMS products like Joomla or Drupal or Plone, to dedicated e-commerce products like OsCommerce. WordPress fit nicely in the middle of these product categories due to its vibrant plugin community and focus on ease of use (at the cost of security), which is part of why it became popular.
https://en.wikipedia.org/wiki/Medium_(website)
>In 2012 the company said it was profitable and generated $45 million in revenue.
Pyra Labs (Blogger) was Evan Williams earlier adventure and Google acquired it in 2003. Evan Williams later went on to co-found Twitter and in 2012, founded Medium. I checked Crunchbase and as of 2016 they’ve taken on $132M across 3 funding rounds and as of at least last year, they are not profitable[1].
I remember the buzz around Medium back when it launched, Ev Williams was going to try and do something new and exciting with text and don’t call it a blog platform, it’ll be like Twitter but with longer form text and anyone could write for it, etc.
The reading experience was good, it did (and probably still does, but I don’t read anything on Medium anymore) have an interesting take on comments, and anyone could write for it. But it’s a blog platform. It is Ev Williams second crack at Blogger with some of the lessons of Twitter, and the conceit that by locking up enough authors into a kind of Yahoo-style lobster trap[2], they can sell themselves as the New York Times[3] by being a kind of YouTube for text.
The thing about YouTube is that videos are relative to text, expensive to encode, decode, store and distribute, and YouTube has an audience that goes to YouTube to watch video. Text can be had anywhere, and while you won’t find many people that hate to watch videos, there are plenty of people that do hate to read, and Medium as it was originally conceived and before the dickbars[4] started rolling in and they had to start hacking engagement was a love letter to the typed word. It was a really really good blog platform that didn’t want to think of itself that way, and that’s why it tried to flip the model and charge readers for access rather than charge writers for hosting or premium features.
Blogger was bought out, I actually found it amazing that TypePad[5] was still around, but the “blog engine” that powers it, Movable Type is still powering sites that you’ve probably heard of, daringfireball.net and Kottke.org being two of the more famous examples with the kinds of writers/bloggers I was advocating for: people who own what they have to say, every pixel of it.
WordPress is now the biggest fish in the blogging pond in mindshare, market share and revenue for blogging software. If it’s a blog and it’s not someone’s custom static site generator or Movable Type on the backend, then it is probably using WordPress either .com or .org.
[1] https://www.niemanlab.org/2019/03/the-long-complicated-and-e...
[2] http://ascii.textfiles.com/archives/2848 or https://web.archive.org/web/20200220000509/http://ascii.text...
“All I can say, looking back, is that when history takes a look at the lives of Jerry Yang and David Filo, this is what it will probably say:
Two graduate students, intrigued by a growing wealth of material on the Internet, built a huge fucking lobster trap, absorbed as much of human history and creativity as they could, and destroyed all of it.
Great work, guys.” -Jason Scott
[3] https://blog.medium.com/how-mediums-curation-distribution-an...
[4] https://daringfireball.net/2017/06/medium_dickbars
[5] I have lost track of where TypePad is relative to everyone else, even in its heyday it was the one platform I never signed up fo...
This wastes so much vertical space. Honestly, http://motherfuckingwebsite.com/ is a lot better.
But the World Wide Web has been in a downward spiral ever since the img tag came along.
(Though I prefer Valkyrie as the chosen font on that site—which was the default previously.)
Now I always have 2 free articles. ;) Let's see how long it lasts.
Have you tried deleting the site's cookies and refreshing? Clicking on the lock in the address bar > Cookies > Remove.
medium.com is one of the domains that I have set to always open in a temporary container.
What is localstorage? Localstorage isn't little nor is it necessarily transmitted back.
It does remove some images, but ok mobile, that is almost a feature in itself.
These terms are growing ever more common, and I certainly use services with similar terms. But I mean this is a fucking blog site, it take very little time and effort to throw up a WordPress site.
their demands for this service, far out way its value, at least to me anyway.
I think people have gotten far too dependent on sell your soul for bread crumb services.
Now, guess what: when googling for _the knests stack_ in the first few weeks, the top result was the preview article from medium. Even now, it's the second result, showing up above reddit or my blog post.
Which is a worthless metric since it won't be the same depending on a user's preferences, history, or location. It may be that their site averages as the top hit for a term but that's not the same as saying it's the top or second hit.
They're making claims about Medium's SEO chops with a metric that doesn't back up the claim.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cl...
This response header can be added with a localhost-bound proxy server like, e.g., haproxy:
Of course, the simplest solution is to just turn off JS before visiting medium; that should prevent any use of localStorage. I have never needed JS to read medium; it's just text. Text-only browser like links works fine.1. Open about:preferences
2. Go to Privacy & Security
3. Under Cookies and Site Data, click on 'Manage Exceptions'
4. Enter medium.com, click Block and then Save Changes.
By using a proxy, I disable Site Data for all sites and if I need it for a specific site I can add an exception.
It seems like Firefox, Chrome and probably others take the opposite approach. The default policy with these browsers is to enable Site Data globally for all sites. "Manage Exceptions" appears to refer to manual changes for every individual site that are required to deviate from this default "Go ahead and collect, store and track" policy.
If you're being blocked don't try to circumvent it. Minute scroll and mouse movement data is biometric data.
https://github.com/a-chris/medium-no-thanks
https://medium.com/_/api/activity
https://medium.com/_/batch
These aren't blocked on the default uBlock Origin setup it seems, and the batch endpoint seems like a possibly bad idea to block.
After blocking them, the behavior of filling up local storage can be seen.
https://github.com/fnune/nay
1. Open about:preferences
2. Go to Privacy & Security
3. Under Cookies and Site Data, click on 'Manage Exceptions'
4. Enter medium.com, click Block and then Save Changes.
Adding a warning upon localStorage would be like adding a warning upon setting cookies. The banners that websites add for setting non-essential cookies are annoying enough already without having to click past browser permission screens for essential cookies as well.
Also note that privacy laws or "cookie laws" don't ever mention the word cookie. If you are being tracked using localStorage, canvas fingerprinting, ETags, etc., they have to disclose the tracking. Not the method, I think, but what data they are collecting, for what purpose, with which retention period, and what their legal basis is (e.g. "we collect your address on the basis of fulfilling the contract to ship your package" or "we track you on the basis of consent"). LocalStorage is not something to be more or less afraid of than cookies, etags, etc.; the browser doesn't ask for those either, and I personally think that's better.