Let us take the example of my already being logged in to, say, LinkedIn. When I access LinkedIn on a new tab, it automatically logs me in (using cookie info). Now, suppose I visit a forum and through an image that is loaded, a CSRF attack is run against my credentials. To prevent using my cookie-stored credentials for an attack, LinkedIn would use token and/or nonce, would check that the token is expired (or nonce is already used) and prevent the attack from happening.
What confuses me is, as far as LinkedIn goes, both my logging in through a new tab and the CSRF attack are initiated from my (trusted) browser. But, LinkedIn automatically logs me in regardless. How would LinkedIn then differentiate opening a new tab from a CSRF attack? Or should LinkedIn have enforced a stricter time out and have me login if I try to log in from a new tab?