That won't work without javascript, and then you need another URL to fallback to that'll respond to GET requests for non-javascript browsers. And then you could just XSRF the non-javascript URL.
[Disclaimer: I work at Google, but not on any area related to this]
I don't understand why this would need JavaScript - regular CSRF protection for POST requests works fine without JavaScript - why can't that be applied to the logout button?
[Disclaimer: I work at Google, but not on any area related to this]