The clearest way to explain the difference is evolved security with flexibility. We introduced BadURLChars and BadQueryChars first, then added BadCSSChars which blocks things in more detail (multi-level ASCII decode, meaning we check for encoded equivalents of BadCSSChars but we do not do that with BadURLChars). As always we add a new setting rather than changing the behavior of an existing setting to avoid disrupting existing installations. This also enables you to use 2 different error pages if you wish (ServerErrorFile vs. CSSErrorFile). You can read more on that in the webagent configuration guide, section titled "Custom Error Handling For Applications".