fantasai
commented
2 years ago Hi @OliverBrotchie, Although interpolation of variables into URLs has been discussed, we don't currently have a mechanism to do so. The piece you quoted is about allowing arguments that change how the url() function is handled: they don't interpolate anything into the URL itself. So afaict, the issue you're raising isn't something that needs to be addressed (yet)?
As discussed in CSS fingerprinting, allowing interpolation of variables into URLs will make fingerprinting attacks extremely scalable as it dramatically reduces the large number of requests per user that is required currently - the main limiting factor on the wide-scale adoption of this technique.
I understand that the default position on CSS security is that running untrusted CSS is inherently unsafe (#5092, #2426, #2339), however, I think it would be best to raise this as an issue nonetheless.