Intent to Ship: CSS URL request modifiers

179 views
Skip to first unread message

Chromestatus

unread,
Apr 25, 2026, 11:11:04 AM (5 days ago) Apr 25
to blin...@chromium.org, j...@chromium.org
Contact emails
j...@chromium.org

Specification
https://drafts.csswg.org/css-values-5/#request-url-modifiers

Summary
CSS url() functions accept optional request modifiers after the quoted URL string: cross-origin(), integrity(), and referrer-policy(). These modifiers control the fetch behavior of the referenced resource directly from CSS, without requiring changes to HTML markup or JavaScript. For example, background-image: url("image.png" cross-origin(anonymous)) fetches the image using CORS anonymous mode. This gives authors fine-grained control over cross-origin access, subresource integrity, and referrer policy for CSS-loaded resources including images, fonts, SVG references, and imported stylesheets.

Blink component
Blink>CSS

Web Feature ID
url-cross-origin, url-referrer-policy, url-integrity

Motivation
Web developers currently have no way to control fetch parameters for CSS-loaded resources. CSS URL request modifiers close this gap by allowing fetch parameters to be specified inline in any url() value, bringing CSS resource loading to parity with HTML resource loading.

Initial public proposal
No information provided

TAG review
No information provided

TAG review status
Not applicable

Goals for experimentation
None

Risks


Interoperability and Compatibility
No information provided

Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1386)

WebKit: Shipped/Shipping (https://developer.apple.com/documentation/safari-release-notes/safari-26_2-release-notes)

Web developers: No signals

Other signals:

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

No information provided


Debuggability
No information provided

Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes

Is this feature fully tested by web-platform-tests?
Yes
https://wpt.fyi/results/css/css-values/urls

Flag name on about://flags
No information provided

Finch feature name
CSSURLRequestModifiers

Rollout plan
Will ship enabled for all users

Requires code in //chrome?
False

Tracking bug
https://issues.chromium.org/issues/435625756

Estimated milestones
Shipping on desktop149
Shipping on Android149
Shipping on WebView149


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

No information provided

Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5111997147512832?gate=6585091942907904

Links to previous Intent discussions
Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/69d421df.050a0220.2539d3.00af.GAE%40google.com


This intent message was generated by Chrome Platform Status.

Dan Clark

unread,
Apr 28, 2026, 2:01:05 PM (2 days ago) Apr 28
to blink-dev, Chromestatus, j...@chromium.org
The Safari release notes say that cross-origin() and referrer-policy() are being shipped but not integrity(). If it's correct that they're not shipping integrity() (which looks to be the case based on the WPT results) can you please file a WebKit position request for just that one?

Yoav Weiss (@Shopify)

unread,
Apr 29, 2026, 11:31:20 AM (yesterday) Apr 29
to blink-dev, dan...@microsoft.com, Chromestatus, j...@chromium.org
LGTM1 conditional on filing a non-blocking WebKit position on integrity()

jj

unread,
Apr 29, 2026, 11:39:23 AM (yesterday) Apr 29
to blink-dev, dan...@microsoft.com, Chromestatus, j...@chromium.org
On Tuesday, April 28, 2026 at 8:01:05 PM UTC+2 dan...@microsoft.com wrote:
The Safari release notes say that cross-origin() and referrer-policy() are being shipped but not integrity(). If it's correct that they're not shipping integrity() (which looks to be the case based on the WPT results) can you please file a WebKit position request for just that one?


IIRC, there is already some sort of implementation of integrity() in WebKit behind a flag. As to why it's not shipped, I'm not sure.

Dan Clark

unread,
Apr 29, 2026, 11:51:00 AM (yesterday) Apr 29
to blink-dev, jj, Dan Clark, Chromestatus
Thanks! LGTM2

Mike Taylor

unread,
Apr 29, 2026, 11:53:40 AM (yesterday) Apr 29
to Dan Clark, blink-dev, jj, Chromestatus

LGTM3

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c1fca82a-c0d1-4252-8700-a71b7b784bb9n%40chromium.org.

Chris Harrelson

unread,
Apr 29, 2026, 11:53:47 AM (yesterday) Apr 29
to Dan Clark, blink-dev, jj, Chromestatus
LGTM3

--
Reply all
Reply to author
Forward
0 new messages