Proposed resolution:

Make the URI token match this in the two tokenisations:

   url\({w}{string}{w}\)
   |url\({w}{string}({escape}|[^)])*\)
   |url\({w}([!#$%&*-~]|{nonascii}|{escape})*{w}\)
   |url\(({escape}|[^)])*\)

Add in section 4.2 a new bullet "Malformed URI tokens": "UAs must
handle URI tokens that do not follow the correct URI syntax described
in the <a href="#uri">URLs and URIs</a> section by consuming all
characters from the first character that does not match the syntax up
to the first unescaped close parenthesis (")"). If the url() form
starts with a quote mark, or spaces then a quote mark, the UA must
first find the end of the string before consuming characters in this
way. (If the string is itself malformed, it must be handled as
described below under the <a href="#@@@@">unexpected end of string</a>
section.) The resulting token must cause the declaration to be ignored
as a <a href="#@@@@">malformed declaration</a>. If the end of the
stylesheet is reached before the matching parenthesis, the URI token
construct must be closed as described below in the <a
href="#@@@@">unexpected end of string</a> section."

Add in section 4.3.4, after the sentence starting "Some characters",
the following: "Specifically, when the URI is unquoted, only the
following characters are valid: '!', '#', '$', '%', '&', and all
characters in the range '*' to '~' in Unicode, as well as any
character  above (but not including) U+007F. The '\' character must be
handled as descripted in <a href="#escaped-characters">character
escapes</a>. Other characters cause the URI token to be
malformed. When the URI is quoted, the quoted part must be parsed as a
string token."