A POC is already released, marking this as security-sensitive anyway. As Masato Kinugawa describes in his blog, how unicode-range can be used as a keylogger. Google marked this issue as won't fix, but it seems that he didn't report it to Mozilla (they will hopefully care a bit more).
"Source code of page can find out what keys are being pressed" isn't something new; it's been doable for years with DOM events (or, if form controls, reading the value of the control). Is the claim here that there's a category of things that CSS couldn't previously do, *and* that people are assuming that CSS can't do and reasonably depending on that assumption for security? (Are there cases where people use external libraries for downloadable fonts that are only linking to CSS and not linking to JS, which already has the ability to do this?) (There are certainly plenty of existing ways that untrusted CSS could attack a page; linking to style sheets you don't trust has already been a bad idea.)
Given the lack of description of what the threat is here (who is the attacker, what are they attacking), I think we should open up this bug and mark it as WONTFIX.
(Actually, perhaps INVALID or WORKSFORME makes more sense than WONTFIX, since the issue is that I don't know what the threat being reported is.)
Note: You need to allow mixed content for the POC, because it doesn't provide https :(
The behavior Masato Kinugawa describes in his blog is a real effect; WONTFIX seems a more appropriate resolution than INVALID.