It boils down to how much you trust browsers to implement this without fucking up. In the past trusting browsers to get it right was a questionable idea, with Flash being a particularly reliable weak point which caused Rails to change how they do CSRF protection. I'm not sure Adobe ever fully fixed the issue in all browsers.
Nonces have the benefit of only relying on browsers preventing cross-domain reads.
When Flash is deprecated, and if a site wants to use CSP, then this might start looking like a better trade off.
ATM though, nonces can be automatically added to all same domain forms on your site with JavaScript and you can check it trivially on all POST requests, getting most of the non-CSP related benefits without waiting on browsers.
And even if browsers were to implement it, there is still a long tail of browsers out there that will take forever to update.
Nonces have the benefit of only relying on browsers preventing cross-domain reads.
When Flash is deprecated, and if a site wants to use CSP, then this might start looking like a better trade off.
ATM though, nonces can be automatically added to all same domain forms on your site with JavaScript and you can check it trivially on all POST requests, getting most of the non-CSP related benefits without waiting on browsers.
And even if browsers were to implement it, there is still a long tail of browsers out there that will take forever to update.