diff --git a/spec/requests/content_security_policy_spec.rb b/spec/requests/content_security_policy_spec.rb
index d4cc40bce5..d4447dca4b 100644
--- a/spec/requests/content_security_policy_spec.rb
+++ b/spec/requests/content_security_policy_spec.rb
@@ -3,25 +3,38 @@
 require 'rails_helper'
 
 describe 'Content-Security-Policy' do
-  it 'sets the expected CSP headers' do
-    allow(SecureRandom).to receive(:base64).with(16).and_return('ZbA+JmE7+bK8F5qvADZHuQ==')
+  before { allow(SecureRandom).to receive(:base64).with(16).and_return('ZbA+JmE7+bK8F5qvADZHuQ==') }
 
+  it 'sets the expected CSP headers' do
     get '/'
-    expect(response.headers['Content-Security-Policy'].split(';').map(&:strip)).to contain_exactly(
-      "base-uri 'none'",
-      "default-src 'none'",
-      "frame-ancestors 'none'",
-      "font-src 'self' https://cb6e6126.ngrok.io",
-      "img-src 'self' data: blob: https://cb6e6126.ngrok.io",
-      "style-src 'self' https://cb6e6126.ngrok.io 'nonce-ZbA+JmE7+bK8F5qvADZHuQ=='",
-      "media-src 'self' data: https://cb6e6126.ngrok.io",
-      "frame-src 'self' https:",
-      "manifest-src 'self' https://cb6e6126.ngrok.io",
-      "form-action 'self'",
-      "child-src 'self' blob: https://cb6e6126.ngrok.io",
-      "worker-src 'self' blob: https://cb6e6126.ngrok.io",
-      "connect-src 'self' data: blob: https://cb6e6126.ngrok.io ws://cb6e6126.ngrok.io:4000",
-      "script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval'"
-    )
+
+    expect(response_csp_headers)
+      .to match_array(expected_csp_headers)
+  end
+
+  def response_csp_headers
+    response
+      .headers['Content-Security-Policy']
+      .split(';')
+      .map(&:strip)
+  end
+
+  def expected_csp_headers
+    <<~CSP.split("\n").map(&:strip)
+      base-uri 'none'
+      child-src 'self' blob: https://cb6e6126.ngrok.io
+      connect-src 'self' data: blob: https://cb6e6126.ngrok.io ws://cb6e6126.ngrok.io:4000
+      default-src 'none'
+      font-src 'self' https://cb6e6126.ngrok.io
+      form-action 'self'
+      frame-ancestors 'none'
+      frame-src 'self' https:
+      img-src 'self' data: blob: https://cb6e6126.ngrok.io
+      manifest-src 'self' https://cb6e6126.ngrok.io
+      media-src 'self' data: https://cb6e6126.ngrok.io
+      script-src 'self' https://cb6e6126.ngrok.io 'wasm-unsafe-eval'
+      style-src 'self' https://cb6e6126.ngrok.io 'nonce-ZbA+JmE7+bK8F5qvADZHuQ=='
+      worker-src 'self' blob: https://cb6e6126.ngrok.io
+    CSP
   end
 end