Privacybadger: Weird Backchannel / Medium bug

We got a user report via email about this a couple of hours ago, copying my reply:

Thanks for letting us know! What happened is that we fixed a bug in how
we recognize EFF Do Not Track Policies (https://www.eff.org/dnt-policy),
and it seems that brought a different issue to the fore.

Last week (as part of https://github.com/EFForg/privacybadger/pull/1312, released with v2017.4.19.1), we made
DNT policies apply only to the specific domains they are posted on.
While we fixed a bug, unfortunately, we are now breaking
Medium-based websites because we are no longer letting their CDN domains
benefit from medium.com's posted DNT Policy.

Medium can fix this now by posting the EFF DNT Policy on every
applicable CDN domain. Could you please forward this information to them?

We also have an outstanding issue concerning CloudFlare that, once
implemented and released, should also resolve this problem: https://github.com/EFForg/privacybadger/issues/1237

Thanks again and sorry for not foreseeing this outcome.

We have some contacts at Medium, so I'll reach out to them.

I've emailed Medium and CC'd you.

Slack's blog is also affected by this one, it appears.

Privacy Badger should ignore Cloudflare-backed content domains (done in #1361) as of version 2017.3.9. If your Privacy Badger already learned to block cdn-images-1.medium.com, just toggle the slider for that domain to green.

I see that Medium posted a DNT policy on cdn-static-1.medium.com but not on cdn-images-1.medium.com. I'll ping them about this.

Do Not Track policies should now be posted on all Medium domains.

Note that Privacy Badger caches DNT policy check results and so can take up to a week to recheck already checked domains. Rechecking is triggered by visiting pages that include resources from these domains.