diff --git a/Dynamic-filtering:-default-deny.md b/Dynamic-filtering:-default-deny.md
index ce060ab..1e0462e 100644
--- a/Dynamic-filtering:-default-deny.md
+++ b/Dynamic-filtering:-default-deny.md
@@ -2,13 +2,22 @@
 
 ***
 
-Default-deny is an awesome blocking mode for whoever is ready for the task of having to un-break web sites during the first visit, and agrees that in general most 3rd-party resources from web pages:
+Default-deny is an awesome blocking mode for whoever agrees that in general most 3rd-party resources from web pages:
 
 - are not really _all_ required
 - increase privacy exposure
 
-![Default-deny](https://raw.githubusercontent.com/gorhill/uBlock/master/doc/img/df-dd-01.png)<br>
-<sup>Default-deny engaged, through the default blocking of 3rd-party network requests.</sup>
+Strictly speaking, default-deny means to block everything and let the user choose what should not be blocked. This strictest mode of default-deny is impractical though, as this means that most web pages would be broken, and more than likely most users would not make use if it.
+
+With uBlock it is possible to use more relax (and thus practical) versions of default-deny: _3rd-party-deny_ (stricter), and _3rd-party active content-deny_ (for lack of better expression).
+
+_3rd-party-deny_ will result in more remote resources being blocked, as anything which is 3rd-party to the current site will be blocked by default. This means a higher likelihood that web pages won't render or behave properly:
+
+![Default-deny anything which is 3rd-party](https://cloud.githubusercontent.com/assets/585534/8889495/c0694db0-32aa-11e5-9c1d-919e89d80c4b.png)<br><sup>Default-deny all 3rd-party: more likely to break, this will need fixing by the user.</sup>
+
+A more friendly approach is to use _3rd-party active content-deny_, which will block only 3rd-party active content, where _active content_ refers to script and frame resources. In such case the likelihood of page breakage is much lower the _3rd-party-deny_, and yet this is where most of the benefits are reaped:
+
+![Default deny only 3rd-party scripts/frames](https://cloud.githubusercontent.com/assets/585534/8889496/c573989c-32aa-11e5-9a40-297ef60a58d0.png)<br><sup>Default-deny 3rd-party active content only: less breakage, yet most 3rd-party resources are blocked.</sup>
 
 The 3rd-party status of a network request is determined as follow: if the domain of a network request does not match the domain of the web page from which it originates, the network request is deemed 3rd-party. The domain information is extracted as per the official [Public Suffix List](https://publicsuffix.org/).