fix(csp): created csp utils file that holds the csp for organization

[waleedlatif1]

Description

• created csp util file that holds the csp for organization
• added google docs too prevent docs.google.com refused to connect

Type of change

• Code refactoring (no functional changes)

How Has This Been Tested?

Tested manually to ensure we can still call all of these endpoints

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added tests that prove my fix is effective or that my feature works
• All tests pass locally and in CI (bun run test)
• My changes generate no new warnings
• Any dependent changes have been merged and published in downstream modules
• I have updated version numbers as needed (if needed)
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Security Considerations:

• My changes do not introduce any new security vulnerabilities
• I have considered the security implications of my changes

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
sim	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 22, 2025 11:46pm

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
docs	⬜️ Skipped (Inspect)			Jul 22, 2025 11:46pm

[greptile-apps]

Greptile Summary

This PR refactors Content Security Policy (CSP) configuration by extracting hardcoded CSP strings from next.config.ts into a dedicated utility file apps/sim/lib/security/csp.ts. The refactoring addresses a specific issue where Google Docs was refusing to connect due to CSP restrictions by adding https://docs.google.com to the frame-src directive to enable Google Picker functionality.

The new CSP utility provides:

• A structured TypeScript interface (CSPDirectives) for CSP configuration
• Comprehensive source domains for various third-party services (Google, AWS, Vercel, Discord, etc.)
• Helper functions getMainCSPPolicy() and getWorkflowExecutionCSPPolicy() that dynamically generate CSP policies
• Better organization and maintainability compared to inline CSP strings

The next.config.ts file now imports these functions and replaces the hardcoded CSP strings with function calls. This follows the established pattern of separating configuration concerns and provides a centralized location for managing security policies across different environments.

Confidence score: 4/5

• This is a well-structured refactoring that improves code organization while fixing a specific connectivity issue
• The main concern is potential runtime dependency on environment variables that could result in empty CSP entries if not handled properly
• The CSP utility file needs careful review to ensure all security directives are correctly configured

_{2 files reviewed, 1 comment}

_{Edit Code Review Bot Settings | Greptile}