The current state for CSS is: for a speculative load (which is also a link preload), we don't set 'nonce' for the CSP initial check and hence we don't even start that load. This will rule out link preload. Adding the nonce handling is an optimization. The current state doesn't impose any security issue.
The current state for script: we also add
nonce only for non-speculative loads.
This bug turns to be an optimization only, but as rel=preload is, as a whole, a performance feature, this should be done as part of M3.