Proposed resolution: Make the URI token match this in the two tokenisations: url\({w}{string}{w}\) |url\({w}{string}({escape}|[^)])*\) |url\({w}([!#$%&*-~]|{nonascii}|{escape})*{w}\) |url\(({escape}|[^)])*\) Add in section 4.2 a new bullet "Malformed URI tokens": "UAs must handle URI tokens that do not follow the correct URI syntax described in the URLs and URIs section by consuming all characters from the first character that does not match the syntax up to the first unescaped close parenthesis (")"). If the url() form starts with a quote mark, or spaces then a quote mark, the UA must first find the end of the string before consuming characters in this way. (If the string is itself malformed, it must be handled as described below under the unexpected end of string section.) The resulting token must cause the declaration to be ignored as a malformed declaration. If the end of the stylesheet is reached before the matching parenthesis, the URI token construct must be closed as described below in the unexpected end of string section." Add in section 4.3.4, after the sentence starting "Some characters", the following: "Specifically, when the URI is unquoted, only the following characters are valid: '!', '#', '$', '%', '&', and all characters in the range '*' to '~' in Unicode, as well as any character above (but not including) U+007F. The '\' character must be handled as descripted in character escapes. Other characters cause the URI token to be malformed. When the URI is quoted, the quoted part must be parsed as a string token."