[css-values-5][editorial] More details in Priv/Sec sections

tabatkins · tabatkins · commit ce239eca9c4e · 2024-09-13T13:33:44.000-07:00
diff --git a/css-values-5/Overview.bs b/css-values-5/Overview.bs
@@ -2199,10 +2199,15 @@ Additions Since Level 4</h3>
 <h2 class="no-num" id="security">
 Security Considerations</h2>
 
-	This specification mostly just defines units that are common to CSS specifications,
-	and which present no security concerns.
+	This specification allows CSS <<url>> values to have various aspects of their request modified.
+	Although this is new to CSS,
+	every ability is already present in <{img}> or <{link}>, as well as via JavaScript.
 
-	Note: Does URL handling have a security concern?  Probably.
+	The ''attr()'' function allows HTML attribute values
+	to be used in CSS values,
+	potentially exposing sensitive information
+	that was previously not accessible via CSS.
+	See [[#attr-security]].
 
 <h2 class="no-num" id="privacy">
 Privacy Considerations</h2>
@@ -2211,6 +2216,9 @@ Privacy Considerations</h2>
 	and default font size,
 	but both are trivially observable from JS,
 	so they do not constitute a new privacy risk.
+	Similarly the ''media-progress()'' notation exposes
+	information about the user's environment and preferences
+	that are already observiable via [=media queries=].
 
 	The ''attr()'' function allows HTML attribute values
 	to be used in CSS values,
