Prebid trustedServer routing keeps server bidders and breaks iframe creatives

[ChristianPavilonis]

Description

When Prebid units are routed through trustedServer, server-side bidders are still left in unit.bids. This causes client-side Prebid to attempt requests for bidders that are no longer available and emit console errors like Trying to make a request for bidder that does not exist: pubmatic.

A related hardening change in creative sanitization also removed iframe creatives, which caused blank creative rendering even when wrapper iframes were present.

Reproduction Steps

1. Configure Prebid with trustedServer routing and include a server-side bidder (for example, pubmatic) in ad unit bids.
2. Load a page where the JS prebid shim rewrites routing to client-side + trustedServer paths.
3. Observe the browser console and creative output.

Expected Behavior

• unit.bids should only include trustedServer plus configured client-side bidders after routing.
• No Prebid "bidder does not exist" console errors for routed server-side bidders.
• Iframe creatives should render correctly (including wrapper iframe flow) after sanitization and JS render path processing.

Affected Area

• Integrations (prebid, lockr, permutive, etc.)
• HTML processing / JS injection

Version

• Branch: fix/client-side-bid-issue

Logs / Evidence

• Console error observed before fix: Trying to make a request for bidder that does not exist: pubmatic

Scope of Fix Implemented

1. Filtered unit.bids in JS prebid shim to keep only trustedServer + configured client-side bidders.
2. Allowed iframe creatives again in server-side sanitizer (trusted-server-core/src/creative.rs).
3. Restored required creative iframe sandbox tokens in JS render path.
4. Updated tests for routing and creative rendering behavior.

Validation

• cargo test --workspace passes
• npx vitest run passes