CSS Values level 4 proposes a new syntax for including urls, src() - https://www.w3.org/TR/css-values-4/#urls
This isn't really a standard yet, and nobody supports src(), but maybe we should pre-emptively block it in Sanitizer::checkCss() . If this became supported by browsers, it would allow people to bypass our current sanitization.