Skip to content

Fix Prebid bidder filtering and iframe creative rendering#551

Merged
ChristianPavilonis merged 1 commit intomainfrom
fix/client-side-bid-issue
Mar 23, 2026
Merged

Fix Prebid bidder filtering and iframe creative rendering#551
ChristianPavilonis merged 1 commit intomainfrom
fix/client-side-bid-issue

Conversation

@ChristianPavilonis
Copy link
Collaborator

@ChristianPavilonis ChristianPavilonis commented Mar 23, 2026

Summary

  • Fix a Prebid client-side bidding regression where server-routed bidders remained in unit.bids, causing console errors and invalid client adapter calls.
  • Restore rendering for iframe-based creatives that were blanked after sanitizer hardening.
  • Keep trusted-server routing and creative rendering behavior aligned with real production bidder and creative mixes.

Root Cause

  • The Prebid trustedServer shim absorbed bidder params into trusted-server config but did not remove non-client-side bidders from unit.bids, so Prebid still attempted client-side adapter requests for bidders that were not loaded.
  • Hardening changes in commit 4a5d6a4 removed iframe elements during server-side creative sanitization, which blanked iframe-based creatives before delivery.

What Changed

  • crates/js/lib/src/integrations/prebid/index.ts: after building trustedServer params, filter unit.bids to keep only trustedServer and configured clientSideBidders.
  • crates/js/lib/test/integrations/prebid/index.test.ts: update assertions to verify server-side bidders are removed while configured client-side bidders remain.
  • crates/trusted-server-core/src/creative.rs: allow iframe creatives by removing iframe from removed elements and update sanitizer docs and comments.
  • crates/trusted-server-core/src/creative.rs tests: replace iframe-removal test with sanitize_preserves_iframe_element_and_src.
  • crates/js/lib/src/core/render.ts: restore iframe sandbox permissions (allow-forms, allow-scripts, allow-same-origin) needed by real creatives.
  • crates/js/lib/test/core/render.test.ts: update sandbox assertions to match restored permissions.

Validation

  • Passed cargo fmt --all -- --check.
  • Passed cargo clippy --all-targets --all-features -- -D warnings.
  • Passed cargo test --workspace.
  • Passed npx vitest run in crates/js/lib (282 tests).
  • Passed npm run format in crates/js/lib.
  • Passed npm run format in docs.

Risk/Notes

@ChristianPavilonis ChristianPavilonis self-assigned this Mar 23, 2026
aram356
aram356 approved these changes Mar 23, 2026
View reviewed changes
Copy link
Collaborator

@aram356 aram356 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Looks good. Please merge it

@ChristianPavilonis ChristianPavilonis merged commit f53a7cb into main Mar 23, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aram356 aram356 aram356 approved these changes

@prk-Jr prk-Jr Awaiting requested review from prk-Jr

Assignees

@ChristianPavilonis ChristianPavilonis

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Prebid trustedServer routing keeps server bidders and breaks iframe creatives

2 participants

@ChristianPavilonis @aram356