Tell HN: Check medium's localstorage if you use adblock

360 points by ev1 ↗ HN
If you have uBlock or similar, it appears medium logs all analytics pings into HTML5 LocalStorage and will keep retrying to send them (and apparently periodically change domains and subdomains to try and send them).

I had tens of thousands of entries in localStorage, wasting quite a bit of space, all of them at least 400-600 characters or more. Each time I scrolled it'd add a few dozen more in, to the point where devtools was freezing. Ridiculous.

Example: https://i.imgur.com/M4E3kqg.png

143 comments

[ 4.8 ms ] story [ 253 ms ] thread
Interesting. Something like this can be mitigated by blocking localstorage access or using container-like solutions such as Firefox containers[0][1].

A nice project to work on would be to write a Chrome and Firefox extension that could watch, notify, and store localstorage and other tool usage on a per-site basis with an admin panel for whitelisting or blacklisting sites, similar to how uBlock functions.

Personally I run a few extensions that attempt to block or obfuscate fingerprinting attempts by sites inspecting system fonts, canvas rendering, etc. Some sites break altogether with these extensions.

[0]: https://addons.mozilla.org/en-US/firefox/addon/multi-account...

[1]: https://addons.mozilla.org/en-US/firefox/addon/temporary-con...

(comment deleted)
I use "Quick Javascript Switcher" on Chrome and it's amazing. Turning off javascript on certain sites improves usability by a ton.
I don't know why you would use an extension for this since the behaviour is already built-in to chrome. Click the padlock next to the url -> site settings -> javascript off
Thanks for the heads up. I looked at mine and it seems like the major of the events in localstorage are getting sent successfully as my adblocker isn't blocking the medium activity or batch API calls, however the lightstep events are blocked and stuck in my localstorage.

As an aside, I'm appalled they'd do this as I'm a paying customer of their service, but as an engineer I have to respect the work & ingenuity that went into this solution.

It's not exactly that hard to imagine. I've thought about a solution like this for 2 separate products across 2 different companies, and it was separately rejected for ethics concerns both times. You'd be surprised what company decided to reject it in the first case. This is an abuse of web APIs to achieve targeted data monitoring of users and probably a severe violation of GDPR.

Any European residents want to confirm this is happening with them?

Can confirm that this is the case for me as well. (EU resident.)
Have you considered filing a GDPR complaint? I would really encourage you to do so.

I found this: https://ec.europa.eu/info/law/law-topic/data-protection/refo...

You should use the Euro judicial framework to get resolution for this 100%.

Americans like to complain about European legislation but this is a perfect example of government powers done right! (I'm a dual American/French citizen living in the US).

I've just spend good 15 minutes on it and in case of France it seems far from trivial. It doesn't look like it's a matter of sending a single e-mail.
Can you kindly opine? I am not in France at the moment so I'd love to learn what issues you are facing. Sorry to waste your time but I think this is a critically important topic if we want to preserve our data, privacy, and related rights into the future.
Medium is so chock full of anti-features this doesn't surprise me at all. I often find myself hunting for an archive link to read some article because I'm past my free article limit. It's absurd that I have to sign up for Medium to read some random blogger's article.

I miss the days where it felt like software was trying to make my life easier, nowadays my experience is mostly characterized by a constant struggle to avoid being taken advantage of.

fwiw opening the article in an incognito tab usually does the trick to get past the article limits. That said, you're right on the money about how badly it sometimes seems that medium doesn't want me to ever use their service
(comment deleted)
Wouldn’t you agree that it’s really valuable to know if people actually read the article, how far and which parts?
Are you kidding? No of course not.

You as a reader would rather prefer that the publisher doesn’t spy on you. Would you feel comfortable reading a newspaper whilst the editor looked over your shoulder all the time ? You might want to do that as a paid testing panel but not voluntarily.

If you wrote an article, and you’re mediocre or spammy, of course you’d get off on such metrics to please yourself, to get validation. Good writers would not care as much.

It's like saying that as a McDonald's customer, you'd prefer they did not charge you for food and you could just get it for free, without having to follow the rules. In fact, McDonald's has a lot of anti features: having to wait in line, greasy food, having to pay for the food and inability to bring outside food and drinks.

Businesses need to earn money and knowing their customers is part of this.

It's not like that at all.
It would be like that if McDonald's started to put surveillance systems into their bags to learn about how you consume their burgers and fries once you've walked out of the restaurant.

Knowing your customer is important. Knowing everything about your customer is intrusive.

“Knowing your customer” is not equivalent to performing surveillance on your customers. People knew their customer for centuries before we could tell that a random unwitting user spent 1.6 minutes on the page and exactly where they put their mouse cursor while they were on it.
No. I'll take an opposing viewpoint. It's not "really" valuable, it's marginally valuable. If your articles aren't yahoo-style clickbait, anything you'd do with that data would just make your future articles less authentic. Alternatively, is your collection and utilization of that information worth invading the privacy of your readers? The printed version of The Economist continues to deliver a fantastic product yet they have no idea how far into each article (or even the entire magazine) I get each week. They simply publish detailed, excellent articles which draw me back, week after week. Why should online articles be any different? An incisive author who has put in the effort to prepare a good, thoughtful article knows it is so before publishing.

Or one can publish thoughtless, banal articles and collect lots of statistics on how long it takes your readers to figure out that the article is a waste of their time.

Distinguishing between the two is precisely what we were taught throughout grade school.

You have absolutely nailed it. The cruft medium provides and calls insight is only valuable to people who want to work out how trick their audience into reading further in articles where they deliver no value.
An interesting note on The Economist is that their digital and print verions are priced the same, despite the higher cost of printing and delivering the printed version. The ads in the print version is simply worth more compared to the digital version.

I’m still not convinced that online ad tech adds nearly as much value as the tracking industry wants us to think. Sure, it’s useful to know if you reader can afford the product wish to promote, but The Economist actually knows roughly what you income is, based on your shipping adress alone, while geo-location online still consistantly place me in the most expensive city in Denmark, but I live in an area where income is average at best.

Not at all. Why would that be valuable to me as a reader?
Do whats best for the user. Does the user want that? No.
One of the things I do is run a small B2B publishing company. We turn over a modest six figure dollar amount each year with a tiny tiny team. We are recognised as one of the leaders in our niche.

The thing that matters to us is whether we create great content, not whether someone stopped reading at 54% of the way through a particular article. Our audience appreciates that our content is authentic, informed and honest. And I don’t mean “authentic” like social media types mean when they say things like “always strive to be authentic!” When you start telling editorial staff to write differently because the stats say something about one particular article you are in a race to the bottom. Medium is an awful platform that rewards badly written click bait targeting stupid people. It’s a blight on the face of the web.

You are the product. We need to change that business model.
(comment deleted)
I find opening Medium in an incognito window gets past the wall. Are they now plugging that loophole?
I doubt it. I've set Firefox to never allow cookies or site data from medium.com. Seems to have worked as I don't have any entries from them.

I should think incognito would do similar.

Don't think so, that's my tactic, too
I would argue that the anti-feature is the existence of local storage. Medium is just a symptom of the underlying issue, which is that browsers do not care about privacy.
I am about to implement a privacy friendly base knowledge app, and local storage is a cornerstone for doing fast full text search.
Erm, how should ppl keep Frontend authentication tokens etc between refreshes without something like local storage?

And how would we make offline webapps which don't store anything on servers?

> Frontend authentication tokens etc

Cookies or use tls authentication.

> And how would we make offline webapps which don't store anything on servers?

Don't make webapps in the first place.

Yeah let's download desktop apps! They all have permission to upload your entire documents folder to the internet.
> They all have permission to upload your entire documents folder to the internet

They do not need to, and unlike "webapps" there isn't a remote server that can change the code that you are running at any moment.

Your response entirely fails to address the parent's concern about security. It's like responding to a RCE in your backend with "yeah it's there but we'll trust the users to not use it"
I do not understand your example. It would not be the user triggering the RCE but rather a 3rd party. In addition I do not see how it fails to address their concern.
No applications installed through the Mac App Store have permission to read your documents unless you explicitly allow that. And you can revoke that access at any time by going to System Preferences… > Security & Privacy > Privacy > Files & Folders.
If the choice is between a webapp and a native app the webapp is going to give users more control and a choice of the platform they want to view it on.

I may be in a minority but I still want to run on desktop linux with an ad blocker or vimium.

Webapps give me that. Native apps don’t.

An ad-blocker in the form of something like a pi-hole should work with native apps, no?
Only when you are connected through your pi-hole.

Also, when pi-hole and mitmproxy are our only options to know what our device is doing and to block things we don't want, then we've lost. The web browser is basically the last bastion of control that we have with its devbar and networkbar and all. Blocking content/requests is something our devices should be able to do themselves.

It's a miracle of history that we have the browser, and it's hard to imagine us having it had it been invented today. We need to fight to keep it, not dismiss it with "ugh web tech amirite?" while we regress to native app black boxes as our only option.

A pi hole protects your whole network. What you are asking for sounds more like a traditional firewall that I think every computer still supports.
> the webapp is going to give users more control

You can't modify the webapp nor can you refuse to update it.

Of course you can modify the webapp. You are running the source code in your browser.

Even if it’s minimised you can still modify it.

No, I think the anti-feature is that browsers don't give users good tools to see when things are being stored in storage (cookies, localstorage, etc.), what is being stored, whether it should be stored, and when it should expire.

I think this stuff should have a first-class UI component in 2020, not be hidden away in a submenu in the devbar that's frankly even annoying to deal with as a developer.

By pitching cookies only, you're saying that websites should only be able to store stuff that the browser should have to reflect back to the server through http headers. I don't think the constraint makes sense beyond wasting bandwidth for settings that should stay local.

Just look at this HN submission. We shouldn't need an HN submission to know this about the websites we visit. Browsers are failing us here. If a website is abusing our localstorage like this, it should be obvious (for the people who care). As it currently stands, browsers enable bad actors to do bad things silently with zero consequence beyond the few nerds who happen to notice it.

As an example, I'm reminded of the new iOS feature(?) that shows when the clipboard is being accessed which spurred a bunch of "wtf is $app doing with my clipboard?" last month. That's what I think setting cookies and localStorage should be like. Or at least a way to opt in to that behavior without throwing the baby out with "disable localstorage".

Yup, you're on the money here. In fact browsers should make accessing the data stored by sites and modifying their permissions drop-dead intuitive, even for non-tech users and those with more knowledge should be afforded further knobs to tweak. This kind of UI might be a bit hard to design and require some thought, but I think it is quite possible, and I find it surprising that even after all these years, the dialogues and preferences dealing with examining and controlling the storage and execution of websites and apps to be poorly thought out, obscure and very clunky.

I can understand why Chrome might not want to improve in this regard as its parent company's interests directly conflict with more user control of web data, but amazingly, if anything, Firefox's settings for auditing and restricting websites is even worse. And none of the browsers, AFAIK, have taken the initiative in this area and tried to really differentiate themselves.

I suspect they think no one except a few tech users will be interested in these knobs, but the thing is, if you make them prominent, easy to use, understand and intuitive, I bet a lot more people will start using them.

I find that medium is even moving articles behind paywall even without consent from author. It was not happening earlier. For example - Look at Netflix Medium blog https://medium.com/@NetflixTechBlog

There are few stories which are behind paywall. Do you think Netflix would have marked them explicitly behind paywall to earn money from blog?

Last I checked the Medium paywall is opt-out on each post you make. Quite easy to accidentally leave it checked.
interesting, so medium is becoming another silo. I knew they were user hostile web actor but their recent moves are horrible.

Let's take this for a spin. Even if you cross post, then if someone tries to read it on medium first and encounters paywall, closes it, then finds your article on your blog and consciously or subconsciously this reader would already have a negative emotions about it and could easily loose patience before reading your whole post. Have you gained anything? no, you have potentially lost a long time reader.

I’m currently cross posting medium and hashnode but you’ve got a point there. Maybe time to say goodbye to medium. I’m not using their distribution/paywall anyway so all medium is to me is a really nice editor.
I use Medium (also dev.to) only to cross post my weblogs.

I make sure to uncheck the option that may make my post exclusive in the future, and I also put canonical link[1]. The main goal is both SEO, and options for readers. If they prefer reading on Medium app or RSS or Dev.to than in my blog, so be it!

[1]: https://help.medium.com/hc/en-us/articles/360033930293-Set-a...

Is there a chrome extension that auto opens medium articles in archive view after clicking link?
> I often find myself hunting for an archive link to read some article because I'm past my free article limit. It's absurd that I have to sign up for Medium to read some random blogger's article.

Once upon a time I would have done the same (or written a script), but I’m past the point of putting in extra effort to read “some random blogger’s article”.

If a random blogger/writer/whatever wants me or anyone else for that matter to read what they wrote, posting it on Medium is absurd. If it’s good enough to stick your name on it, and it’s important enough for you to write it, own the work you put into it, put it somewhere that people can read it without jumping through hoops or dealing with Medium’s BS. It’s a crappy site.

All Medium needed to do was take words that look like this: http://motherfuckingwebsite.com/

And turn it into this: http://bettermotherfuckingwebsite.com/

And you know, RSS feeds and maybe some image hosting, or custom domains and some other premium shit. Like these guys did:

https://www.blogger.com/

https://wordpress.com/

https://www.typepad.com/

Every one of these old-time blog platforms are still around, all of them offer/offered different things, all of them take some words you spit out and throw a fancy template around them and if none of that satisfies you, there’s as many static site generators and “blog engines” as there is porn, and like porn, you can always produce and personalize your own.

And yet medium is more successful then "these guys".
Wordpress powers about a third of the web and Automattic has a significantly higher valuation than Medium. Maybe Medium's cooler, but it's not more successful.
But they aren’t more successful through the blog platform, instead by providing website foundation most companies use to create company websites, e-commerce websites and, a few of them, blogs.
> But they aren’t more successful through the blog platform, instead by providing website foundation most companies use to create company websites, e-commerce websites and, a few of them, blogs.

The blog platform provided the very foundation for their success because once people found out how easy it was, relative to the competition[0], to stand up an online presence using WordPress, you could "convert" the blog into an e-commerce website or a CMS or anything you can think of that needs to spit out HTML/CSS/JS, via the use of free/paid WordPress plugins.

[0] WordPress' competition included a wide variety of product categories apart from Movable Type, which used to be the dominant open source blogging platform. From dedicated CMS products like Joomla or Drupal or Plone, to dedicated e-commerce products like OsCommerce. WordPress fit nicely in the middle of these product categories due to its vibrant plugin community and focus on ease of use (at the cost of security), which is part of why it became popular.

Automattic isn't just wordpress. But even if wordpress is more successful, the fact that medium had any success at all, even though wordpress already existed proves that medium did something right.
WordPress had somewhere around $132 million in revenue last year, Medium had $12.2 million revenue.
Is it though?

Pyra Labs (Blogger) was Evan Williams earlier adventure and Google acquired it in 2003. Evan Williams later went on to co-found Twitter and in 2012, founded Medium. I checked Crunchbase and as of 2016 they’ve taken on $132M across 3 funding rounds and as of at least last year, they are not profitable[1].

I remember the buzz around Medium back when it launched, Ev Williams was going to try and do something new and exciting with text and don’t call it a blog platform, it’ll be like Twitter but with longer form text and anyone could write for it, etc.

The reading experience was good, it did (and probably still does, but I don’t read anything on Medium anymore) have an interesting take on comments, and anyone could write for it. But it’s a blog platform. It is Ev Williams second crack at Blogger with some of the lessons of Twitter, and the conceit that by locking up enough authors into a kind of Yahoo-style lobster trap[2], they can sell themselves as the New York Times[3] by being a kind of YouTube for text.

The thing about YouTube is that videos are relative to text, expensive to encode, decode, store and distribute, and YouTube has an audience that goes to YouTube to watch video. Text can be had anywhere, and while you won’t find many people that hate to watch videos, there are plenty of people that do hate to read, and Medium as it was originally conceived and before the dickbars[4] started rolling in and they had to start hacking engagement was a love letter to the typed word. It was a really really good blog platform that didn’t want to think of itself that way, and that’s why it tried to flip the model and charge readers for access rather than charge writers for hosting or premium features.

Blogger was bought out, I actually found it amazing that TypePad[5] was still around, but the “blog engine” that powers it, Movable Type is still powering sites that you’ve probably heard of, daringfireball.net and Kottke.org being two of the more famous examples with the kinds of writers/bloggers I was advocating for: people who own what they have to say, every pixel of it.

WordPress is now the biggest fish in the blogging pond in mindshare, market share and revenue for blogging software. If it’s a blog and it’s not someone’s custom static site generator or Movable Type on the backend, then it is probably using WordPress either .com or .org.

[1] https://www.niemanlab.org/2019/03/the-long-complicated-and-e...

[2] http://ascii.textfiles.com/archives/2848 or https://web.archive.org/web/20200220000509/http://ascii.text...

“All I can say, looking back, is that when history takes a look at the lives of Jerry Yang and David Filo, this is what it will probably say:

Two graduate students, intrigued by a growing wealth of material on the Internet, built a huge fucking lobster trap, absorbed as much of human history and creativity as they could, and destroyed all of it.

Great work, guys.” -Jason Scott

[3] https://blog.medium.com/how-mediums-curation-distribution-an...

[4] https://daringfireball.net/2017/06/medium_dickbars

[5] I have lost track of where TypePad is relative to everyone else, even in its heyday it was the one platform I never signed up fo...

> And turn it into this: http://bettermotherfuckingwebsite.com/

This wastes so much vertical space. Honestly, http://motherfuckingwebsite.com/ is a lot better.

My personal preference is actually for http://motherfuckingwebsite.com/ but I had a point to make about what blogging platforms could theoretically bring to the table: stylesheets.

But the World Wide Web has been in a downward spiral ever since the img tag came along.

A better example of constrained design for text articles is https://practicaltypography.com

(Though I prefer Valkyrie as the chosen font on that site—which was the default previously.)

That's a fair position. I don't completely agree, but I certainly empathize. It could also be said of multiple perspectives related to software from employment, coworkers, user experience, data, social engagement, and so forth. It seems there is a tremendous amount of potential exploitation for undisclosed motives.
A while ago, I realized that I could just block all cookies for Medium.

Now I always have 2 free articles. ;) Let's see how long it lasts.

Medium is charging now? Isn't it all third party content offered to them for free? Or do the authors get to choose to charge at their discretion?
The authors get to choose, and are paid when they get views from paying customers.
>I often find myself hunting for an archive link to read some article because I'm past my free article limit. It's absurd that I have to sign up for Medium to read some random blogger's article.

Have you tried deleting the site's cookies and refreshing? Clicking on the lock in the address bar > Cookies > Remove.

The idea that a website can store things locally on my machine -- especially without my knowledge or permission -- is !@#$ing absurd. The idea that a different website can then access that data is beyond infuriating.
Hey, have you ever heard of cookies?
Yeah, I'd be pretty mad if I had to log into a website every time I opened it or be blinded by a white screen at night when I toggled the dark theme last time I visited. There's so many good uses for storage to make things behave as one would expect. And it'd be a lot of friction to have permission dialogs for things as basic as cookies or localStorage.
I agree cookies have proven to be a largely pro-user feature over time but do you remember the backlash from techies and reporters alike when browsers first started implementing cookies back in the 90s?
Yup. Cookies are neat little chunks of things that a website puts on my computer that I then transmit back to it.

What is localstorage? Localstorage isn't little nor is it necessarily transmitted back.

Doesn't that come under the browser sandbox? Cross domain access shouldn't be possible.
Medium is much better without JavaScript. No article view limits, no creepy showing you your Google account and asking you to log in, nothing. And of course, no messing with your LocalStorage.

It does remove some images, but ok mobile, that is almost a feature in itself.

In Chrome, you can do this with chrome://settings/content/javascript which lets you blacklist JS on certain domains.
uBlock Origin can also disable JavaScript on domains. I discovered this recently and were pleasantly surprised that this was added.
You can even disable javascript by default on uBlock, a la uMatrix. I've turned it on on my lower-performance MacBook Air, and it's made web browsing so much more pleasant.
Give uMatrix a try if you want to get even more granular.
Googles one tap is sooooo creepy. I have it blocked in ub origin. I’m always afraid of accidentally logging in - probably something they hope for.
Arguably the mother of all dark UI patterns, and pretty tangible proof that Google's "Don't be evil" times are long gone.
As soon as I see Google's sign in I disable javascript for that domain. It's like a glowing red sign that website doesn't care about my privacy at all.
Agreed. It's on Pinterest too. It's way too jarring UI to make it seem like a website knows all of your Google accounts, it amazes me they thought that dropdown menu that was the right move.
You can use localStorage.clear() in the dev console to clear this info and chrome://settings/content/javascript to blacklist JS on a domain in Chrome.
I am honestly baffled at why anyone uses medium, I just flatly refuse. Their stance on binding arbitration, and that in any disturbed claims that I agree to pay for the legal defense but give them total control over the defense.

These terms are growing ever more common, and I certainly use services with similar terms. But I mean this is a fucking blog site, it take very little time and effort to throw up a WordPress site.

their demands for this service, far out way its value, at least to me anyway.

I think people have gotten far too dependent on sell your soul for bread crumb services.

It's probably because of the good SEO the articles written there get: I published a project on GitHub, then an article on my personal blog about it (with a back link from the repo itself), then an intro article on medium with a link to repo and a "read more" toward my blog post. Then I submitted the GH repo and/or my blog post to some reddit threads.

Now, guess what: when googling for _the knests stack_ in the first few weeks, the top result was the preview article from medium. Even now, it's the second result, showing up above reddit or my blog post.

If you hadn't posted the preview on Medium it wouldn't get any SEO. Your problem is of your own making.
A link's position in a Google search is basically a worthless measure anymore. Every Google user ends up microtargeted such that the ordering of results or even which results are displayed is rarely consistent.
Use Google Search Console and the data there is far from worthless. Average position, impressions and clicks for all the keywords visiting your site.
The GP didn't reference Google Search Console. They mentioned their site's position on their microtargeted search results.

Which is a worthless metric since it won't be the same depending on a user's preferences, history, or location. It may be that their site averages as the top hit for a term but that's not the same as saying it's the top or second hit.

They're making claims about Medium's SEO chops with a metric that doesn't back up the claim.

Here is one way to clear localStorage without using Javacript, Add-Ons or Extensions:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cl...

This response header can be added with a localhost-bound proxy server like, e.g., haproxy:

     http-response add-header Clear-Site-Data *
Of course, the simplest solution is to just turn off JS before visiting medium; that should prevent any use of localStorage. I have never needed JS to read medium; it's just text. Text-only browser like links works fine.
Or, just block it, as you're using Firefox:

1. Open about:preferences

2. Go to Privacy & Security

3. Under Cookies and Site Data, click on 'Manage Exceptions'

4. Enter medium.com, click Block and then Save Changes.

Is there a way to disable Site Data globally for all sites?

By using a proxy, I disable Site Data for all sites and if I need it for a specific site I can add an exception.

It seems like Firefox, Chrome and probably others take the opposite approach. The default policy with these browsers is to enable Site Data globally for all sites. "Manage Exceptions" appears to refer to manual changes for every individual site that are required to deviate from this default "Go ahead and collect, store and track" policy.

How do I check LocalStorage in Firefox? I assume it is the 'Manage Data' button under 'Cookies and Site Data' section of the 'Privacy & Security' tab under settings?
Press F12 on medium, Storage tab, left side.
While we're at it, just noticed that weather.com had 114 Mb stored, wtf?
More people need to be publishing on federated platforms like WriteFreely and Plumo so we don't have this sort of lock-in and readers can use existing fediverse accounts to comment and boost without signing up for and into these sorts of services.
Is there a way to disable WebGL, WebRTC and localStorage on browsers for good?
Firefox lets you turn off all 3 independently. This breaks some sites that demand device fingerprinting, though.
I wonder if there is any api that allows you to disable them per site (similar to how umatrix/ublock origin can block cookies/js per site)
Despite the shortcomings medium continues to be one of the top domains posted on hn https://news.ycombinator.com/from?site=medium.com
submitted, yes, but as time goes on it signals more and more the poor quality of those articles. Anecdotally it feels mediums articles are up-voted less now then they were in the beginning, if anyone has stats on it I would be happy to see if that's true.
The people who write this code need to fucking smarten up.

If you're being blocked don't try to circumvent it. Minute scroll and mouse movement data is biometric data.

Medium is trash.
I'm using Cookie AutoDelete extension (along with uBO) on Firefox, which also deletes LocalStorage. Just have checked up, I have only 5 cookies for medium.com and no LocalStorage.
It doesn't seem to do that for me, it instead just uses these two endpoints instead of the "report" endpoint to send the same data.

https://medium.com/_/api/activity

https://medium.com/_/batch

These aren't blocked on the default uBlock Origin setup it seems, and the batch endpoint seems like a possibly bad idea to block.

After blocking them, the behavior of filling up local storage can be seen.

I've created an extension to block links to domains you dislike, I've got mine set up to block Medium links.

https://github.com/fnune/nay

Can't you just do this with uBlock Origin? Something like

  ##a[href*="medium.com"]
Maybe! My extension offers a different set of features. It shows an angry emoji next to the blocked links, and lets you click on them. When you click on them, you're prompted to confirm that you want to follow the link, alongside a reminder of why you blocked the domain.
In Firefox, you can prevent it from using site data and cookies. This also has the advantage of reseting the count of the number of articles that you can read when you close the tab.

1. Open about:preferences

2. Go to Privacy & Security

3. Under Cookies and Site Data, click on 'Manage Exceptions'

4. Enter medium.com, click Block and then Save Changes.

Couldn’t browsers ask before using local storage? Then I can approve it for sites where I believe it would make a positive difference (Once/Always/Never), and with an option to clear when the browser is closed. Bonus points if I can preview what’s being stored.
There are many legitimate uses for localStorage, e.g. see the API key field at https://beanstack.io (disclosure: a site I helped build): it will remember the value for you if you enter a value and hit submit. If you then, upon clicking submit, had to click through a browser pop-up asking if you want to let the website store data in your browser, that would feel like we're indeed tracking you when really what we're doing is trying to make your life easier without doing tracking. We could have used a cookie, but why should we if we can use localStorage which is privately yours and not sent to the server with every request?

Adding a warning upon localStorage would be like adding a warning upon setting cookies. The banners that websites add for setting non-essential cookies are annoying enough already without having to click past browser permission screens for essential cookies as well.

Also note that privacy laws or "cookie laws" don't ever mention the word cookie. If you are being tracked using localStorage, canvas fingerprinting, ETags, etc., they have to disclose the tracking. Not the method, I think, but what data they are collecting, for what purpose, with which retention period, and what their legal basis is (e.g. "we collect your address on the basis of fulfilling the contract to ship your package" or "we track you on the basis of consent"). LocalStorage is not something to be more or less afraid of than cookies, etags, etc.; the browser doesn't ask for those either, and I personally think that's better.

Someone should write a fake event generator that clutters their analytics