fix(picker): fix docs.google.com refused to connect issue

[waleedlatif1]

Description

• fix docs.google.com refused to connect issue by chaging COOP to same-origin-allow-popups, which allows popups you open to communicate and send back file selection

Type of change

• Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

Tested manually in incognito browser to prevent browser caching.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added tests that prove my fix is effective or that my feature works
• All tests pass locally and in CI (bun run test)
• My changes generate no new warnings
• Any dependent changes have been merged and published in downstream modules
• I have updated version numbers as needed (if needed)
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Security Considerations:

• My changes do not introduce any new security vulnerabilities
• I have considered the security implications of my changes

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
sim	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 26, 2025 7:39pm

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
docs	⬜️ Skipped (Inspect)			Jul 26, 2025 7:39pm

[greptile-apps]

Greptile Summary

This PR fixes a critical integration issue with Google Drive Picker functionality by modifying Cross-Origin security policies in the Next.js configuration. The change updates the Cross-Origin-Opener-Policy (COOP) from same-origin to same-origin-allow-popups for specific routes that require Google Drive integration.

The core problem was that Google Drive Picker opens in a popup window and needs to communicate back to the parent window to send selected file information. The previous restrictive same-origin policy was blocking this popup communication, causing a "docs.google.com refused to connect" error. The solution implements a targeted approach:

1. Maintains strict same-origin policy for most application routes to preserve security
2. Uses the more permissive same-origin-allow-popups policy specifically for routes that need Google Drive integration (w/.*, workspace/.*, api/tools/drive)
3. Also updates Cross-Origin-Embedder-Policy to unsafe-none for these same routes

This change integrates with the existing GoogleDrivePicker component (referenced in the context) which handles OAuth authentication and file selection. The security model remains sound as the permissive policy is only applied to routes that specifically require popup communication for Google Drive functionality.

PR Description Notes:

• Minor typo: "chaging" should be "changing"

Confidence score: 4/5

• This is a well-targeted fix that addresses a specific integration issue without compromising overall security
• The solution correctly identifies the root cause and applies the minimal necessary change
• The route-specific application of policies maintains security boundaries while enabling required functionality
• apps/sim/next.config.ts needs careful review to ensure the route patterns correctly match all intended Google Drive integration endpoints

_{1 file reviewed, no comments}

_{Edit Code Review Bot Settings | Greptile}