Currently query variables are declared using inline var in <script> directly in html page.
As said by @Bawolff in https://gerrit.wikimedia.org/r/c/operations/puppet/+/491377:
As an aside, this tool is very close to be able to get rid of unsafe-inline (Which improves the anti-xss properties of CSP significantly). At a very quick glance, looks like the only thing that uses it is the "var vars =" script block. In principle that could be replaced with a data attribute or meta tag, which would allow getting rid of the unsafe-inline.
For example we can use data attributes on body element.