diff --git a/4.1-Extensions.md b/4.1-Extensions.md
index c2881de..b9f8b4e 100644
--- a/4.1-Extensions.md
+++ b/4.1-Extensions.md
@@ -4,18 +4,21 @@ Also, see [this sticky issue](https://github.com/ghacksuserjs/ghacks-user.js/iss
 
 If you would like to submit a privacy or security related extension to be added to this list, please post the details [here](https://github.com/ghacksuserjs/ghacks-user.js/issues/655) for consideration, thanks.
 
+:exclamation: **CSP**: When multiple extensions use a CSP header injection, **only one wins** and predicting the winner is like [rolling a dice](https://github.com/ghacksuserjs/ghacks-user.js/issues/265#issuecomment-393935989). Also see [#497](https://github.com/ghacksuserjs/ghacks-user.js/issues/497)). **Some** CSP items to be aware of are highlighted below.
+
 ### :small_orange_diamond: Extensions
 These are all, where applicable, best configured to `deny-all` and whitelist.
 
 * [uBlock Origin](https://addons.mozilla.org/firefox/addon/ublock-origin/) <sup>✔ [Privacy](https://github.com/gorhill/uBlock/wiki/Privacy-policy)</sup> | [GitHub](https://github.com/gorhill/uBlock)
-  * Essential if you are not using Mozilla's Tracking Protection and Safe Browsing
+  * :exclamation: **CSP**: font **rules** use CSP [unsure about font filters] - use Redirector instead
 * [uMatrix](https://addons.mozilla.org/firefox/addon/umatrix/) <sup>✔ [Privacy](https://github.com/gorhill/uMatrix/wiki/Privacy-policy)</sup> | [GitHub](https://github.com/gorhill/uMatrix)
 * [Decentraleyes](https://addons.mozilla.org/firefox/addon/decentraleyes/) <sup>✔ [Privacy](https://addons.mozilla.org/firefox/addon/decentraleyes/privacy/)</sup> | [GitLab](https://git.synz.io/Synzvato/decentraleyes) | [GitHub <sup>Archive</sup>](https://github.com/Synzvato/decentraleyes)
    * :exclamation: uBlock Origin users should add the [following rules](https://git.synz.io/Synzvato/decentraleyes/wikis/Frequently-Asked-Questions) if required
 * [CSS Exfil Protection](https://addons.mozilla.org/firefox/addon/css-exfil-protection/) | [GitHub](https://github.com/mlgualtieri/CSS-Exfil-Protection) | [Homepage + Test](https://www.mike-gualtieri.com/css-exfil-vulnerability-tester)
 * [HTTPS Everywhere](https://addons.mozilla.org/firefox/addon/https-everywhere/) <sup>✔ [Privacy](https://www.eff.org/code/privacy/policy)</sup> | [GitHub](https://github.com/EFForg/https-everywhere)
+   * :exclamation: **CSP**: blocking all insecure requests (`httpNowhereOn`) uses CSP
 * [CanvasBlocker](https://addons.mozilla.org/firefox/addon/canvasblocker/) <sup>✔ [Privacy](https://addons.mozilla.org/firefox/addon/canvasblocker/privacy/)</sup> | [GitHub](https://github.com/kkapsner/CanvasBlocker)
-   * :exclamation: uncheck the option `Misc > Block data URL pages`. When multiple extensions (e.g. uBO, uMatrix etc) use CSP header injection/modification, only one wins. Predicting the winner is like [rolling a dice](https://github.com/ghacksuserjs/ghacks-user.js/issues/265#issuecomment-393935989) (also see [#497](https://github.com/ghacksuserjs/ghacks-user.js/issues/497))
+   * :exclamation: **CSP**: `Misc > Block data URL pages` uses CSP
 * [Smart Referer](https://addons.mozilla.org/firefox/addon/smart-referer/) <sup>✔ [Privacy](https://addons.mozilla.org/firefox/addon/smart-referer/privacy/)</sup> | [GitLab](https://gitlab.com/smart-referer/smart-referer) | [GitHub <sup>Archive</sup>](https://github.com/meh/smart-referer)
 * [Header Editor](https://addons.mozilla.org/firefox/addon/header-editor/) | [GitHub](https://github.com/FirefoxBar/HeaderEditor)
   * Allows you to run [Rules](https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.4-Header-Editor) to modify headers such as blocking ETags