Nonce and Hash are part of CSP Level 2, which I don't believe enjoys wide
cross-browser support. My original implementation of CSP for Lift 3 is therefore
targeted 100% at CSP 1.0.
I don't necessarily mind supporting CSP Level 2 directives in 3.1, we just need
to think about how this interacts with browsers and whether we want to bake in
something that isn't yet widely supported (in particular, I believe Level 2 has
unclear support in IE Edge and Safari).
Also worth noting, I haven't double-checked this in the last 6 months or so, so
it's possible that's all changed.
Thanks,
Antonio