(Apologies if this is a little awkwardly stated, it’s almost 3 AM and I’m on vacation so I’m trying to keep it brief.)
Some CSS features like ::selection have a whitelist of supported rules to keep them performant and/or secure. (I believe ::selection doesn’t support background images because it is considered a hole that would allow easy spying on user activity, and doesn’t support many other rules because they would trigger a reflow.)
I think it’d be better if all of these features pulled from common pools of restrictions (ie. all rules that don’t support loading assets from a URL have the same fallback behavior).
This would also help manage some of the overly-broad spec amputations made in the name of perf / privacy (eg. disallowing all images when it’s really network requests that are the problem).
(This was originally named CSS Privacy & Performance Restriction Modules and filed under CSS, but now that I think about it, these kind of restriction concerns are present in more standards than just CSS.)
This would also be a great basis for standardizing the way that private browsing modes work (stating that certain features are only subjected to privacy-based restrictions in private browsing mode).
I think this rationale could be included in whatever abstract document is used to define Security Restrictions, as something each of these kinds of things could link to for the edification of content authors.