From d25b7a7b5ded6d6af34e4e6cf275ef592ab2b0e4 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Fri, 19 Jun 2026 10:36:17 -0500
Subject: [PATCH 1/7] Honor publisher origin host header override

---
 .../src/platform.rs                           | 27 +++++++++++++++++++
 .../src/integrations/datadome/protection.rs   |  1 +
 .../src/integrations/mod.rs                   |  1 +
 .../src/platform/test_support.rs              |  1 +
 .../trusted-server-core/src/platform/types.rs |  2 ++
 crates/trusted-server-core/src/proxy.rs       |  2 ++
 crates/trusted-server-core/src/publisher.rs   |  1 +
 7 files changed, 35 insertions(+)

diff --git a/crates/trusted-server-adapter-fastly/src/platform.rs b/crates/trusted-server-adapter-fastly/src/platform.rs
index 7e96a545..1a6347de 100644
--- a/crates/trusted-server-adapter-fastly/src/platform.rs
+++ b/crates/trusted-server-adapter-fastly/src/platform.rs
@@ -157,6 +157,7 @@ pub struct FastlyPlatformBackend;
 fn backend_config_from_spec(spec: &PlatformBackendSpec) -> BackendConfig<'_> {
     BackendConfig::new(&spec.scheme, &spec.host)
         .port(spec.port)
+        .host_header_override(spec.host_header_override.as_deref())
         .certificate_check(spec.certificate_check)
         .first_byte_timeout(spec.first_byte_timeout)
 }
@@ -619,6 +620,7 @@ mod tests {
             scheme: "https".to_string(),
             host: "origin.example.com".to_string(),
             port: None,
+            host_header_override: None,
             certificate_check: true,
             first_byte_timeout: Duration::from_secs(15),
         };
@@ -633,6 +635,28 @@ mod tests {
         );
     }
 
+    #[test]
+    fn predict_name_includes_host_header_override_suffix() {
+        let backend = FastlyPlatformBackend;
+        let spec = PlatformBackendSpec {
+            scheme: "https".to_string(),
+            host: "origin.example.com".to_string(),
+            port: None,
+            host_header_override: Some("www.example.com".to_string()),
+            certificate_check: true,
+            first_byte_timeout: Duration::from_secs(15),
+        };
+
+        let name = backend
+            .predict_name(&spec)
+            .expect("should compute backend name for host header override");
+
+        assert_eq!(
+            name, "backend_https_origin_example_com_443_oh_www_example_com_t15000",
+            "should match BackendConfig naming convention with host header override"
+        );
+    }
+
     #[test]
     fn predict_name_includes_nocert_suffix_when_cert_check_disabled() {
         let backend = FastlyPlatformBackend;
@@ -640,6 +664,7 @@ mod tests {
             scheme: "https".to_string(),
             host: "origin.example.com".to_string(),
             port: None,
+            host_header_override: None,
             certificate_check: false,
             first_byte_timeout: Duration::from_secs(15),
         };
@@ -661,6 +686,7 @@ mod tests {
             scheme: "https".to_string(),
             host: String::new(),
             port: None,
+            host_header_override: None,
             certificate_check: true,
             first_byte_timeout: Duration::from_secs(15),
         };
@@ -677,6 +703,7 @@ mod tests {
             scheme: "https".to_string(),
             host: "origin.example.com".to_string(),
             port: None,
+            host_header_override: None,
             certificate_check: true,
             first_byte_timeout: Duration::from_millis(2000),
         };
diff --git a/crates/trusted-server-core/src/integrations/datadome/protection.rs b/crates/trusted-server-core/src/integrations/datadome/protection.rs
index 8512bcc9..96eade32 100644
--- a/crates/trusted-server-core/src/integrations/datadome/protection.rs
+++ b/crates/trusted-server-core/src/integrations/datadome/protection.rs
@@ -156,6 +156,7 @@ impl DataDomeIntegration {
             scheme: parsed.scheme().to_string(),
             host: host.to_string(),
             port: parsed.port(),
+            host_header_override: None,
             certificate_check: true,
             first_byte_timeout: Duration::from_millis(u64::from(self.config.timeout_ms)),
         };
diff --git a/crates/trusted-server-core/src/integrations/mod.rs b/crates/trusted-server-core/src/integrations/mod.rs
index 297cf9d0..192857af 100644
--- a/crates/trusted-server-core/src/integrations/mod.rs
+++ b/crates/trusted-server-core/src/integrations/mod.rs
@@ -71,6 +71,7 @@ pub(crate) fn ensure_integration_backend(
                 })?
                 .to_string(),
             port: parsed.port(),
+            host_header_override: None,
             certificate_check: true,
             first_byte_timeout: first_byte_timeout.unwrap_or_else(|| Duration::from_secs(15)),
         })
diff --git a/crates/trusted-server-core/src/platform/test_support.rs b/crates/trusted-server-core/src/platform/test_support.rs
index 36182fea..493135ce 100644
--- a/crates/trusted-server-core/src/platform/test_support.rs
+++ b/crates/trusted-server-core/src/platform/test_support.rs
@@ -807,6 +807,7 @@ mod tests {
             scheme: "https".to_string(),
             host: "example.com".to_string(),
             port: None,
+            host_header_override: None,
             certificate_check: true,
             first_byte_timeout: DEFAULT_FIRST_BYTE_TIMEOUT,
         };
diff --git a/crates/trusted-server-core/src/platform/types.rs b/crates/trusted-server-core/src/platform/types.rs
index 33250d1d..25068218 100644
--- a/crates/trusted-server-core/src/platform/types.rs
+++ b/crates/trusted-server-core/src/platform/types.rs
@@ -133,6 +133,8 @@ pub struct PlatformBackendSpec {
     pub host: String,
     /// Explicit port, or `None` to use the scheme default.
     pub port: Option<u16>,
+    /// Optional outbound Host header to send to the backend origin.
+    pub host_header_override: Option<String>,
     /// Whether to verify the TLS certificate.
     pub certificate_check: bool,
     /// Maximum time to wait for the first response byte.
diff --git a/crates/trusted-server-core/src/proxy.rs b/crates/trusted-server-core/src/proxy.rs
index bcd70e18..f60f2298 100644
--- a/crates/trusted-server-core/src/proxy.rs
+++ b/crates/trusted-server-core/src/proxy.rs
@@ -1058,6 +1058,7 @@ pub async fn handle_asset_proxy_request(
             scheme: scheme.to_string(),
             host: host.to_string(),
             port: target_url.port(),
+            host_header_override: None,
             certificate_check: settings.proxy.certificate_check,
             first_byte_timeout: DEFAULT_FIRST_BYTE_TIMEOUT,
         })
@@ -1241,6 +1242,7 @@ async fn proxy_with_redirects(
                 scheme: scheme.clone(),
                 host: host.to_string(),
                 port: parsed_url.port(),
+                host_header_override: None,
                 certificate_check: settings.proxy.certificate_check,
                 first_byte_timeout: DEFAULT_FIRST_BYTE_TIMEOUT,
             })
diff --git a/crates/trusted-server-core/src/publisher.rs b/crates/trusted-server-core/src/publisher.rs
index db8a1778..93ce75d6 100644
--- a/crates/trusted-server-core/src/publisher.rs
+++ b/crates/trusted-server-core/src/publisher.rs
@@ -499,6 +499,7 @@ pub async fn handle_publisher_request(
             scheme: origin_scheme.clone(),
             host: origin_host_without_port.to_string(),
             port: parsed_origin.port(),
+            host_header_override: settings.publisher.origin_host_header_override.clone(),
             certificate_check: settings.proxy.certificate_check,
             first_byte_timeout: DEFAULT_PUBLISHER_FIRST_BYTE_TIMEOUT,
         })

From 65a475c94a2c07cfb0be590aee93fe9ae4c843a2 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Fri, 19 Jun 2026 10:44:35 -0500
Subject: [PATCH 2/7] Replace forwarded host in Fastly request conversion

---
 .../src/platform.rs                           | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/crates/trusted-server-adapter-fastly/src/platform.rs b/crates/trusted-server-adapter-fastly/src/platform.rs
index 1a6347de..4b1a9cf4 100644
--- a/crates/trusted-server-adapter-fastly/src/platform.rs
+++ b/crates/trusted-server-adapter-fastly/src/platform.rs
@@ -309,7 +309,11 @@ fn edge_request_to_fastly(
     let (parts, body) = request.into_parts();
     let mut fastly_req = fastly::Request::new(parts.method, parts.uri.to_string());
     for (name, value) in parts.headers.iter() {
-        fastly_req.append_header(name.as_str(), value.as_bytes());
+        if name == edgezero_core::http::header::HOST {
+            fastly_req.set_header(name.as_str(), value.as_bytes());
+        } else {
+            fastly_req.append_header(name.as_str(), value.as_bytes());
+        }
     }
     match body {
         edgezero_core::body::Body::Once(bytes) => {
@@ -611,6 +615,24 @@ mod tests {
         Arc::new(NoopKvStore)
     }
 
+    #[test]
+    fn edge_request_to_fastly_replaces_url_derived_host_header() {
+        let request = request_builder()
+            .method("GET")
+            .uri("https://origin.example.com/")
+            .header(edgezero_core::http::header::HOST, "www.example.com")
+            .body(Body::empty())
+            .expect("should build request");
+
+        let fastly_req = edge_request_to_fastly(request).expect("should convert request");
+
+        assert_eq!(
+            fastly_req.get_header_str(fastly::http::header::HOST),
+            Some("www.example.com"),
+            "should replace the URL-derived Host instead of appending a duplicate"
+        );
+    }
+
     // --- FastlyPlatformBackend::predict_name --------------------------------
 
     #[test]

From 154b0359a83a156e0133d419e8128b0a55f6aea2 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Fri, 19 Jun 2026 11:15:53 -0500
Subject: [PATCH 3/7] Bypass Image Optimizer for incoming SVG asset paths

---
 crates/trusted-server-core/src/proxy.rs | 60 ++++++++++++++++++++++---
 1 file changed, 53 insertions(+), 7 deletions(-)

diff --git a/crates/trusted-server-core/src/proxy.rs b/crates/trusted-server-core/src/proxy.rs
index f60f2298..98528524 100644
--- a/crates/trusted-server-core/src/proxy.rs
+++ b/crates/trusted-server-core/src/proxy.rs
@@ -749,8 +749,8 @@ fn build_asset_proxy_target_url(
     Ok(target_url)
 }
 
-fn asset_path_skips_image_optimizer(target_url: &url::Url) -> bool {
-    let lower_path = target_url.path().to_ascii_lowercase();
+fn asset_path_skips_image_optimizer(path: &str) -> bool {
+    let lower_path = path.to_ascii_lowercase();
     lower_path.ends_with(".svg") || lower_path.ends_with(".svgz")
 }
 
@@ -1028,12 +1028,15 @@ pub async fn handle_asset_proxy_request(
     req: Request<EdgeBody>,
     route: &ProxyAssetRoute,
 ) -> Result<AssetProxyResponse, Report<TrustedServerError>> {
+    let incoming_path = req.uri().path();
     let incoming_query = req.uri().query().unwrap_or("");
-    let mut target_url = build_asset_proxy_target_url(route, req.uri().path(), incoming_query)?;
-    let skip_image_optimizer = asset_path_skips_image_optimizer(&target_url);
+    let mut target_url = build_asset_proxy_target_url(route, incoming_path, incoming_query)?;
+    let skip_image_optimizer = asset_path_skips_image_optimizer(incoming_path)
+        || asset_path_skips_image_optimizer(target_url.path());
     let image_optimizer = if skip_image_optimizer {
         log::debug!(
-            "Skipping Image Optimizer for unsupported SVG asset path: {}",
+            "Skipping Image Optimizer for unsupported SVG asset path: incoming={}, target={}",
+            incoming_path,
             target_url.path()
         );
         None
@@ -3096,7 +3099,7 @@ mod tests {
         ] {
             let target_url = url::Url::parse(url).expect("should parse target URL");
             assert!(
-                asset_path_skips_image_optimizer(&target_url),
+                asset_path_skips_image_optimizer(target_url.path()),
                 "should skip Image Optimizer for {url}"
             );
         }
@@ -3111,7 +3114,7 @@ mod tests {
         ] {
             let target_url = url::Url::parse(url).expect("should parse target URL");
             assert!(
-                !asset_path_skips_image_optimizer(&target_url),
+                !asset_path_skips_image_optimizer(target_url.path()),
                 "should allow Image Optimizer for {url}"
             );
         }
@@ -3664,6 +3667,49 @@ mod tests {
         );
     }
 
+    #[tokio::test]
+    async fn handle_asset_proxy_request_skips_image_optimizer_for_incoming_svg() {
+        let stub = Arc::new(StubHttpClient::new());
+        stub.push_response(200, b"ok".to_vec());
+        let services = build_services_with_http_client(
+            Arc::clone(&stub) as Arc<dyn crate::platform::PlatformHttpClient>
+        );
+        let mut settings = create_test_settings();
+        let mut profile_set = test_profile_set();
+        profile_set.unknown_profile = UnknownProfilePolicy::Reject;
+        settings.image_optimizer = ImageOptimizerSettings {
+            profile_sets: HashMap::from([("default_images".to_string(), profile_set)]),
+        };
+        let req = build_http_request(
+            Method::GET,
+            "https://www.example.com/.image/object-id/logo.svg?profile=unknown&ar=1-1",
+        );
+        let mut route = ProxyAssetRoute::new("/.image/", "https://assets.example.com");
+        route.path_pattern = Some(r"^/\.image/([^/]+)/[^/]+\.([^/.]+)$".to_string());
+        route.target_path = Some("/image/upload/$1".to_string());
+        route.image_optimizer = Some(AssetImageOptimizerConfig {
+            enabled: true,
+            region: "us_east".to_string(),
+            profile_set: "default_images".to_string(),
+            origin_query: None,
+        });
+
+        handle_asset_proxy_request(&settings, &services, req, &route)
+            .await
+            .expect("should proxy incoming SVG asset without Image Optimizer profile parsing");
+
+        assert_eq!(
+            stub.recorded_request_uris(),
+            vec!["https://assets.example.com/image/upload/object-id"],
+            "should strip profile-table query even when SVG target path omits extension"
+        );
+        assert_eq!(
+            stub.recorded_image_optimizer_options(),
+            vec![None],
+            "incoming SVG assets should bypass Image Optimizer metadata"
+        );
+    }
+
     #[tokio::test]
     async fn handle_asset_proxy_request_skips_s3_preflight_for_svg_image_optimizer_routes() {
         let stub = Arc::new(StubHttpClient::new());

From f405735aa378c65255c92f5d98eb709895b94963 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Fri, 19 Jun 2026 12:19:18 -0500
Subject: [PATCH 4/7] Load Prebid split bundle synchronously

---
 .../trusted-server-core/src/html_processor.rs |  6 +--
 .../src/integrations/prebid.rs                |  2 +-
 .../src/integrations/registry.rs              | 10 +++--
 crates/trusted-server-core/src/publisher.rs   |  8 ++--
 crates/trusted-server-core/src/tsjs.rs        | 39 +++++++++++++++----
 docs/guide/integration-guide.md               | 14 +++----
 6 files changed, 53 insertions(+), 26 deletions(-)

diff --git a/crates/trusted-server-core/src/html_processor.rs b/crates/trusted-server-core/src/html_processor.rs
index eafe1e1e..18d56366 100644
--- a/crates/trusted-server-core/src/html_processor.rs
+++ b/crates/trusted-server-core/src/html_processor.rs
@@ -232,11 +232,11 @@ pub fn create_html_processor(config: HtmlProcessorConfig) -> impl StreamProcesso
                     for insert in integrations.head_inserts(&ctx) {
                         snippet.push_str(&insert);
                     }
-                    // Main bundle: core + non-deferred integrations (synchronous).
+                    // Main bundle: core + non-split integrations (synchronous).
                     let immediate_ids = integrations.js_module_ids_immediate();
                     snippet.push_str(&tsjs::tsjs_script_tag(&immediate_ids));
-                    // Deferred bundles: large modules like prebid loaded after
-                    // HTML parsing completes. Empty when none are enabled.
+                    // Split bundles: large modules like prebid load outside the
+                    // main bundle. Empty when none are enabled.
                     let deferred_ids = integrations.js_module_ids_deferred();
                     snippet.push_str(&tsjs::tsjs_deferred_script_tags(&deferred_ids));
                     el.prepend(&snippet, ContentType::Html);
diff --git a/crates/trusted-server-core/src/integrations/prebid.rs b/crates/trusted-server-core/src/integrations/prebid.rs
index 8a2c6157..17b97d1d 100644
--- a/crates/trusted-server-core/src/integrations/prebid.rs
+++ b/crates/trusted-server-core/src/integrations/prebid.rs
@@ -1993,7 +1993,7 @@ passphrase = "test-secret-key-32-bytes-minimum"
         );
         assert!(
             processed.contains("tsjs-prebid.min.js"),
-            "Deferred prebid bundle should be injected"
+            "Split prebid bundle should be injected"
         );
     }
 
diff --git a/crates/trusted-server-core/src/integrations/registry.rs b/crates/trusted-server-core/src/integrations/registry.rs
index 99df1c73..9c6e24fc 100644
--- a/crates/trusted-server-core/src/integrations/registry.rs
+++ b/crates/trusted-server-core/src/integrations/registry.rs
@@ -699,8 +699,10 @@ impl IntegrationRegistrationBuilder {
         self
     }
 
-    /// Mark this integration's JS module for deferred loading via
-    /// `<script defer>` instead of the main synchronous bundle.
+    /// Mark this integration's JS module for split loading outside the main bundle.
+    ///
+    /// Split modules usually load with `defer`, but the script tag policy can
+    /// choose synchronous loading for modules with bootstrap ordering needs.
     #[must_use]
     pub fn with_deferred_js(mut self) -> Self {
         self.registration.js_deferred = true;
@@ -1156,11 +1158,11 @@ impl IntegrationRegistry {
             .collect()
     }
 
-    /// Return JS module IDs that should be loaded with `<script defer>`.
+    /// Return JS module IDs that should be loaded as split scripts.
     ///
     /// Only includes modules registered with
     /// [`with_deferred_js`](IntegrationRegistrationBuilder::with_deferred_js)
-    /// that are actually enabled. Returns an empty vec when no deferred
+    /// that are actually enabled. Returns an empty vec when no split
     /// integrations are configured.
     #[must_use]
     pub fn js_module_ids_deferred(&self) -> Vec<&'static str> {
diff --git a/crates/trusted-server-core/src/publisher.rs b/crates/trusted-server-core/src/publisher.rs
index 93ce75d6..b2402c38 100644
--- a/crates/trusted-server-core/src/publisher.rs
+++ b/crates/trusted-server-core/src/publisher.rs
@@ -134,8 +134,8 @@ fn accept_encoding_qvalue(header_value: &str, target: &str) -> Option<f32> {
 /// Serves two types of bundles:
 /// - **Unified bundle** (`tsjs-unified.min.js`): core + immediate (non-deferred)
 ///   integration modules.
-/// - **Deferred module** (`tsjs-{id}.min.js`): a single self-contained IIFE for
-///   modules loaded with `defer` (e.g., prebid).
+/// - **Split module** (`tsjs-{id}.min.js`): a single self-contained IIFE for
+///   modules loaded outside the main bundle (e.g., prebid).
 ///
 /// # Errors
 ///
@@ -181,11 +181,11 @@ pub fn handle_tsjs_dynamic(
     Ok(not_found_response())
 }
 
-/// Extract a module ID from a deferred-module filename like `tsjs-prebid.min.js`.
+/// Extract a module ID from a split-module filename like `tsjs-prebid.min.js`.
 ///
 /// Returns `Some(&'static str)` if the filename matches a known JS module ID,
 /// `None` otherwise. The caller must additionally verify that the module is
-/// both deferred and enabled via the [`IntegrationRegistry`].
+/// both split-loaded and enabled via the [`IntegrationRegistry`].
 #[must_use]
 fn parse_deferred_module_filename(filename: &str) -> Option<&'static str> {
     let stem = filename
diff --git a/crates/trusted-server-core/src/tsjs.rs b/crates/trusted-server-core/src/tsjs.rs
index 07c0c97e..320ecca5 100644
--- a/crates/trusted-server-core/src/tsjs.rs
+++ b/crates/trusted-server-core/src/tsjs.rs
@@ -38,25 +38,39 @@ pub fn tsjs_unified_script_tag() -> String {
     tsjs_script_tag(&ids)
 }
 
-/// `/static` URL for a single deferred module with its own cache-busting hash.
+/// `/static` URL for a single split module with its own cache-busting hash.
 #[must_use]
 pub fn tsjs_deferred_script_src(module_id: &str) -> String {
     let hash = single_module_hash(module_id).unwrap_or_default();
     format!("/static/tsjs=tsjs-{module_id}.min.js?v={hash}")
 }
 
-/// `<script defer>` tag for a single deferred module.
+/// Return true when a split module must execute synchronously after the main bundle.
+fn tsjs_split_module_loads_synchronously(module_id: &str) -> bool {
+    module_id == "prebid"
+}
+
+/// `<script>` tag for a single split module.
+///
+/// Most split modules use `defer`, but Prebid must execute synchronously after
+/// the main TSJS bundle so publisher ad code observes the TSJS-owned `pbjs`
+/// before attempting legacy Prebid bundle loading.
 #[must_use]
 pub fn tsjs_deferred_script_tag(module_id: &str) -> String {
+    let defer_attr = if tsjs_split_module_loads_synchronously(module_id) {
+        ""
+    } else {
+        " defer"
+    };
     format!(
-        "<script src=\"{}\" defer></script>",
+        "<script src=\"{}\"{defer_attr}></script>",
         tsjs_deferred_script_src(module_id)
     )
 }
 
-/// Generate all deferred `<script defer>` tags for the given module IDs.
+/// Generate all split module `<script>` tags for the given module IDs.
 ///
-/// Returns an empty string when no deferred modules are present.
+/// Returns an empty string when no split modules are present.
 #[must_use]
 pub fn tsjs_deferred_script_tags(module_ids: &[&str]) -> String {
     module_ids
@@ -201,13 +215,24 @@ mod tests {
     }
 
     #[test]
-    fn tsjs_deferred_script_tag_marks_script_defer() {
+    fn tsjs_deferred_script_tag_loads_prebid_synchronously() {
         let src = tsjs_deferred_script_src("prebid");
 
         assert_eq!(
             tsjs_deferred_script_tag("prebid"),
+            format!("<script src=\"{src}\"></script>"),
+            "should generate a synchronous prebid script tag"
+        );
+    }
+
+    #[test]
+    fn tsjs_deferred_script_tag_marks_other_split_modules_defer() {
+        let src = tsjs_deferred_script_src("creative");
+
+        assert_eq!(
+            tsjs_deferred_script_tag("creative"),
             format!("<script src=\"{src}\" defer></script>"),
-            "should generate a deferred script tag"
+            "should defer non-prebid split module script tags"
         );
     }
 
diff --git a/docs/guide/integration-guide.md b/docs/guide/integration-guide.md
index 79576b8b..a0ffc12c 100644
--- a/docs/guide/integration-guide.md
+++ b/docs/guide/integration-guide.md
@@ -212,7 +212,7 @@ impl IntegrationScriptRewriter for MyIntegration {
 `html_processor.rs` calls these hooks after applying the standard origin→first-party rewrite, so you can simply swap URLs, append query parameters, or mutate inline JSON. Use this to point `<script>` tags at your own tsjs-managed bundle (for example, `/static/tsjs=tsjs-testlight.min.js`) or to rewrite embedded Next.js payloads.
 
 ::: warning Removing Elements
-Returning `AttributeRewriteAction::remove_element()` (or `ScriptRewriteAction::RemoveNode` for inline content) removes the element entirely, so integrations can drop publisher-provided markup when the Trusted Server already injects a safe alternative. Prebid, for example, removes publisher `prebid.js` tags because it ships its own deferred bundle (`tsjs-prebid.min.js`).
+Returning `AttributeRewriteAction::remove_element()` (or `ScriptRewriteAction::RemoveNode` for inline content) removes the element entirely, so integrations can drop publisher-provided markup when the Trusted Server already injects a safe alternative. Prebid, for example, removes publisher `prebid.js` tags because it ships its own split bundle (`tsjs-prebid.min.js`).
 :::
 
 ### 5b. Implement Head Injection (Optional)
@@ -251,7 +251,7 @@ Add the module to `crates/trusted-server-core/src/integrations/mod.rs`'s builder
 
 Place any integration-specific JavaScript entrypoint under `crates/js/lib/src/integrations/` (for example, `crates/js/lib/src/integrations/testlight.ts`). The shared `npm run build` script automatically discovers every file in that directory and produces a bundle named `tsjs-<entry>.js`, which the Rust crate embeds as `/static/tsjs=tsjs-<entry>.min.js`.
 
-Integrations that ship additional JS (such as Testlight) typically expose a `shim_src` config and rewrite publisher tags to point at that URL. Others (like Prebid) drop the publisher tag because the server injects its own deferred bundle automatically.
+Integrations that ship additional JS (such as Testlight) typically expose a `shim_src` config and rewrite publisher tags to point at that URL. Others (like Prebid) drop the publisher tag because the server injects its own split bundle automatically.
 
 ### 8. Test Locally
 
@@ -273,7 +273,7 @@ Two built-in integrations demonstrate how the framework pieces fit together.
 Integrations are loaded in one of two ways:
 
 - **Immediate** (default) — concatenated into the main `tsjs-unified.min.js` bundle, loaded synchronously at `<head>` start.
-- **Deferred** — served as a separate `<script defer>` tag (`tsjs-{id}.min.js`), loaded after HTML parsing completes. Used for large modules that would otherwise block rendering. Integrations opt in by calling `.with_deferred_js()` on their registration builder.
+- **Split** — served as a separate `tsjs-{id}.min.js` tag outside the main bundle. Split modules usually use `<script defer>`, but modules with bootstrap ordering requirements can load synchronously. Integrations opt in by calling `.with_deferred_js()` on their registration builder.
 
 ### Testlight
 
@@ -288,9 +288,9 @@ Integrations are loaded in one of two ways:
 
 ### Prebid
 
-**Loading**: Deferred (`<script defer>`)
+**Loading**: Split synchronous script after the main TSJS bundle
 
-**Purpose**: Production Prebid Server bridge that owns `/first-party/ad` & `/third-party/ad`, injects EC IDs, rewrites creatives/notification URLs, and removes publisher-supplied Prebid scripts. The NPM-bundled Prebid.js is served as a separate deferred bundle (`tsjs-prebid.min.js`) to avoid blocking page rendering (168 KB).
+**Purpose**: Production Prebid Server bridge that owns `/first-party/ad` & `/third-party/ad`, injects EC IDs, rewrites creatives/notification URLs, and removes publisher-supplied Prebid scripts. The NPM-bundled Prebid.js is served as a separate split bundle (`tsjs-prebid.min.js`) so it can initialize before publisher ad code attempts legacy Prebid loading.
 
 **Key files**:
 
@@ -322,11 +322,11 @@ Tests or scaffolding can inject configs by calling `settings.integrations.insert
 
 **3. HTML Rewrites Through the Registry**
 
-When the integration is enabled, the `IntegrationAttributeRewriter` removes any `<script src="prebid*.js">` or `<link href=…>` references that match `script_patterns`. The Prebid module is loaded as a separate `<script defer>` tag after the main TSJS bundle, so dropping the publisher assets prevents duplicate downloads. The server-injected config (`window.__tsjs_prebid`) is an inline script that runs before both bundles, ensuring configuration is available when the deferred Prebid module auto-initializes.
+When the integration is enabled, the `IntegrationAttributeRewriter` removes any `<script src="prebid*.js">` or `<link href=…>` references that match `script_patterns`. The Prebid module is loaded as a separate synchronous script tag immediately after the main TSJS bundle, so dropping the publisher assets prevents duplicate downloads and avoids races with publisher ad code that tries to load legacy Prebid. The server-injected config (`window.__tsjs_prebid`) is an inline script that runs before both bundles, ensuring configuration is available when the Prebid module auto-initializes.
 
 **4. TSJS Assets & Testing**
 
-The NPM integration lives in `crates/js/lib/src/integrations/prebid/index.ts`. Tests typically assert that publisher references disappear and the deferred `tsjs-prebid.min.js` tag is present.
+The NPM integration lives in `crates/js/lib/src/integrations/prebid/index.ts`. Tests typically assert that publisher references disappear and the split `tsjs-prebid.min.js` tag is present.
 
 **5. Hybrid EID forwarding**
 

From 3090683e2cb5e6f0ccc1ae3570761aa58c5180c4 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Fri, 19 Jun 2026 13:19:15 -0500
Subject: [PATCH 5/7] Revert "Load Prebid split bundle synchronously"

This reverts commit f405735aa378c65255c92f5d98eb709895b94963.
---
 .../trusted-server-core/src/html_processor.rs |  6 +--
 .../src/integrations/prebid.rs                |  2 +-
 .../src/integrations/registry.rs              | 10 ++---
 crates/trusted-server-core/src/publisher.rs   |  8 ++--
 crates/trusted-server-core/src/tsjs.rs        | 39 ++++---------------
 docs/guide/integration-guide.md               | 14 +++----
 6 files changed, 26 insertions(+), 53 deletions(-)

diff --git a/crates/trusted-server-core/src/html_processor.rs b/crates/trusted-server-core/src/html_processor.rs
index 18d56366..eafe1e1e 100644
--- a/crates/trusted-server-core/src/html_processor.rs
+++ b/crates/trusted-server-core/src/html_processor.rs
@@ -232,11 +232,11 @@ pub fn create_html_processor(config: HtmlProcessorConfig) -> impl StreamProcesso
                     for insert in integrations.head_inserts(&ctx) {
                         snippet.push_str(&insert);
                     }
-                    // Main bundle: core + non-split integrations (synchronous).
+                    // Main bundle: core + non-deferred integrations (synchronous).
                     let immediate_ids = integrations.js_module_ids_immediate();
                     snippet.push_str(&tsjs::tsjs_script_tag(&immediate_ids));
-                    // Split bundles: large modules like prebid load outside the
-                    // main bundle. Empty when none are enabled.
+                    // Deferred bundles: large modules like prebid loaded after
+                    // HTML parsing completes. Empty when none are enabled.
                     let deferred_ids = integrations.js_module_ids_deferred();
                     snippet.push_str(&tsjs::tsjs_deferred_script_tags(&deferred_ids));
                     el.prepend(&snippet, ContentType::Html);
diff --git a/crates/trusted-server-core/src/integrations/prebid.rs b/crates/trusted-server-core/src/integrations/prebid.rs
index 17b97d1d..8a2c6157 100644
--- a/crates/trusted-server-core/src/integrations/prebid.rs
+++ b/crates/trusted-server-core/src/integrations/prebid.rs
@@ -1993,7 +1993,7 @@ passphrase = "test-secret-key-32-bytes-minimum"
         );
         assert!(
             processed.contains("tsjs-prebid.min.js"),
-            "Split prebid bundle should be injected"
+            "Deferred prebid bundle should be injected"
         );
     }
 
diff --git a/crates/trusted-server-core/src/integrations/registry.rs b/crates/trusted-server-core/src/integrations/registry.rs
index 9c6e24fc..99df1c73 100644
--- a/crates/trusted-server-core/src/integrations/registry.rs
+++ b/crates/trusted-server-core/src/integrations/registry.rs
@@ -699,10 +699,8 @@ impl IntegrationRegistrationBuilder {
         self
     }
 
-    /// Mark this integration's JS module for split loading outside the main bundle.
-    ///
-    /// Split modules usually load with `defer`, but the script tag policy can
-    /// choose synchronous loading for modules with bootstrap ordering needs.
+    /// Mark this integration's JS module for deferred loading via
+    /// `<script defer>` instead of the main synchronous bundle.
     #[must_use]
     pub fn with_deferred_js(mut self) -> Self {
         self.registration.js_deferred = true;
@@ -1158,11 +1156,11 @@ impl IntegrationRegistry {
             .collect()
     }
 
-    /// Return JS module IDs that should be loaded as split scripts.
+    /// Return JS module IDs that should be loaded with `<script defer>`.
     ///
     /// Only includes modules registered with
     /// [`with_deferred_js`](IntegrationRegistrationBuilder::with_deferred_js)
-    /// that are actually enabled. Returns an empty vec when no split
+    /// that are actually enabled. Returns an empty vec when no deferred
     /// integrations are configured.
     #[must_use]
     pub fn js_module_ids_deferred(&self) -> Vec<&'static str> {
diff --git a/crates/trusted-server-core/src/publisher.rs b/crates/trusted-server-core/src/publisher.rs
index b2402c38..93ce75d6 100644
--- a/crates/trusted-server-core/src/publisher.rs
+++ b/crates/trusted-server-core/src/publisher.rs
@@ -134,8 +134,8 @@ fn accept_encoding_qvalue(header_value: &str, target: &str) -> Option<f32> {
 /// Serves two types of bundles:
 /// - **Unified bundle** (`tsjs-unified.min.js`): core + immediate (non-deferred)
 ///   integration modules.
-/// - **Split module** (`tsjs-{id}.min.js`): a single self-contained IIFE for
-///   modules loaded outside the main bundle (e.g., prebid).
+/// - **Deferred module** (`tsjs-{id}.min.js`): a single self-contained IIFE for
+///   modules loaded with `defer` (e.g., prebid).
 ///
 /// # Errors
 ///
@@ -181,11 +181,11 @@ pub fn handle_tsjs_dynamic(
     Ok(not_found_response())
 }
 
-/// Extract a module ID from a split-module filename like `tsjs-prebid.min.js`.
+/// Extract a module ID from a deferred-module filename like `tsjs-prebid.min.js`.
 ///
 /// Returns `Some(&'static str)` if the filename matches a known JS module ID,
 /// `None` otherwise. The caller must additionally verify that the module is
-/// both split-loaded and enabled via the [`IntegrationRegistry`].
+/// both deferred and enabled via the [`IntegrationRegistry`].
 #[must_use]
 fn parse_deferred_module_filename(filename: &str) -> Option<&'static str> {
     let stem = filename
diff --git a/crates/trusted-server-core/src/tsjs.rs b/crates/trusted-server-core/src/tsjs.rs
index 320ecca5..07c0c97e 100644
--- a/crates/trusted-server-core/src/tsjs.rs
+++ b/crates/trusted-server-core/src/tsjs.rs
@@ -38,39 +38,25 @@ pub fn tsjs_unified_script_tag() -> String {
     tsjs_script_tag(&ids)
 }
 
-/// `/static` URL for a single split module with its own cache-busting hash.
+/// `/static` URL for a single deferred module with its own cache-busting hash.
 #[must_use]
 pub fn tsjs_deferred_script_src(module_id: &str) -> String {
     let hash = single_module_hash(module_id).unwrap_or_default();
     format!("/static/tsjs=tsjs-{module_id}.min.js?v={hash}")
 }
 
-/// Return true when a split module must execute synchronously after the main bundle.
-fn tsjs_split_module_loads_synchronously(module_id: &str) -> bool {
-    module_id == "prebid"
-}
-
-/// `<script>` tag for a single split module.
-///
-/// Most split modules use `defer`, but Prebid must execute synchronously after
-/// the main TSJS bundle so publisher ad code observes the TSJS-owned `pbjs`
-/// before attempting legacy Prebid bundle loading.
+/// `<script defer>` tag for a single deferred module.
 #[must_use]
 pub fn tsjs_deferred_script_tag(module_id: &str) -> String {
-    let defer_attr = if tsjs_split_module_loads_synchronously(module_id) {
-        ""
-    } else {
-        " defer"
-    };
     format!(
-        "<script src=\"{}\"{defer_attr}></script>",
+        "<script src=\"{}\" defer></script>",
         tsjs_deferred_script_src(module_id)
     )
 }
 
-/// Generate all split module `<script>` tags for the given module IDs.
+/// Generate all deferred `<script defer>` tags for the given module IDs.
 ///
-/// Returns an empty string when no split modules are present.
+/// Returns an empty string when no deferred modules are present.
 #[must_use]
 pub fn tsjs_deferred_script_tags(module_ids: &[&str]) -> String {
     module_ids
@@ -215,24 +201,13 @@ mod tests {
     }
 
     #[test]
-    fn tsjs_deferred_script_tag_loads_prebid_synchronously() {
+    fn tsjs_deferred_script_tag_marks_script_defer() {
         let src = tsjs_deferred_script_src("prebid");
 
         assert_eq!(
             tsjs_deferred_script_tag("prebid"),
-            format!("<script src=\"{src}\"></script>"),
-            "should generate a synchronous prebid script tag"
-        );
-    }
-
-    #[test]
-    fn tsjs_deferred_script_tag_marks_other_split_modules_defer() {
-        let src = tsjs_deferred_script_src("creative");
-
-        assert_eq!(
-            tsjs_deferred_script_tag("creative"),
             format!("<script src=\"{src}\" defer></script>"),
-            "should defer non-prebid split module script tags"
+            "should generate a deferred script tag"
         );
     }
 
diff --git a/docs/guide/integration-guide.md b/docs/guide/integration-guide.md
index a0ffc12c..79576b8b 100644
--- a/docs/guide/integration-guide.md
+++ b/docs/guide/integration-guide.md
@@ -212,7 +212,7 @@ impl IntegrationScriptRewriter for MyIntegration {
 `html_processor.rs` calls these hooks after applying the standard origin→first-party rewrite, so you can simply swap URLs, append query parameters, or mutate inline JSON. Use this to point `<script>` tags at your own tsjs-managed bundle (for example, `/static/tsjs=tsjs-testlight.min.js`) or to rewrite embedded Next.js payloads.
 
 ::: warning Removing Elements
-Returning `AttributeRewriteAction::remove_element()` (or `ScriptRewriteAction::RemoveNode` for inline content) removes the element entirely, so integrations can drop publisher-provided markup when the Trusted Server already injects a safe alternative. Prebid, for example, removes publisher `prebid.js` tags because it ships its own split bundle (`tsjs-prebid.min.js`).
+Returning `AttributeRewriteAction::remove_element()` (or `ScriptRewriteAction::RemoveNode` for inline content) removes the element entirely, so integrations can drop publisher-provided markup when the Trusted Server already injects a safe alternative. Prebid, for example, removes publisher `prebid.js` tags because it ships its own deferred bundle (`tsjs-prebid.min.js`).
 :::
 
 ### 5b. Implement Head Injection (Optional)
@@ -251,7 +251,7 @@ Add the module to `crates/trusted-server-core/src/integrations/mod.rs`'s builder
 
 Place any integration-specific JavaScript entrypoint under `crates/js/lib/src/integrations/` (for example, `crates/js/lib/src/integrations/testlight.ts`). The shared `npm run build` script automatically discovers every file in that directory and produces a bundle named `tsjs-<entry>.js`, which the Rust crate embeds as `/static/tsjs=tsjs-<entry>.min.js`.
 
-Integrations that ship additional JS (such as Testlight) typically expose a `shim_src` config and rewrite publisher tags to point at that URL. Others (like Prebid) drop the publisher tag because the server injects its own split bundle automatically.
+Integrations that ship additional JS (such as Testlight) typically expose a `shim_src` config and rewrite publisher tags to point at that URL. Others (like Prebid) drop the publisher tag because the server injects its own deferred bundle automatically.
 
 ### 8. Test Locally
 
@@ -273,7 +273,7 @@ Two built-in integrations demonstrate how the framework pieces fit together.
 Integrations are loaded in one of two ways:
 
 - **Immediate** (default) — concatenated into the main `tsjs-unified.min.js` bundle, loaded synchronously at `<head>` start.
-- **Split** — served as a separate `tsjs-{id}.min.js` tag outside the main bundle. Split modules usually use `<script defer>`, but modules with bootstrap ordering requirements can load synchronously. Integrations opt in by calling `.with_deferred_js()` on their registration builder.
+- **Deferred** — served as a separate `<script defer>` tag (`tsjs-{id}.min.js`), loaded after HTML parsing completes. Used for large modules that would otherwise block rendering. Integrations opt in by calling `.with_deferred_js()` on their registration builder.
 
 ### Testlight
 
@@ -288,9 +288,9 @@ Integrations are loaded in one of two ways:
 
 ### Prebid
 
-**Loading**: Split synchronous script after the main TSJS bundle
+**Loading**: Deferred (`<script defer>`)
 
-**Purpose**: Production Prebid Server bridge that owns `/first-party/ad` & `/third-party/ad`, injects EC IDs, rewrites creatives/notification URLs, and removes publisher-supplied Prebid scripts. The NPM-bundled Prebid.js is served as a separate split bundle (`tsjs-prebid.min.js`) so it can initialize before publisher ad code attempts legacy Prebid loading.
+**Purpose**: Production Prebid Server bridge that owns `/first-party/ad` & `/third-party/ad`, injects EC IDs, rewrites creatives/notification URLs, and removes publisher-supplied Prebid scripts. The NPM-bundled Prebid.js is served as a separate deferred bundle (`tsjs-prebid.min.js`) to avoid blocking page rendering (168 KB).
 
 **Key files**:
 
@@ -322,11 +322,11 @@ Tests or scaffolding can inject configs by calling `settings.integrations.insert
 
 **3. HTML Rewrites Through the Registry**
 
-When the integration is enabled, the `IntegrationAttributeRewriter` removes any `<script src="prebid*.js">` or `<link href=…>` references that match `script_patterns`. The Prebid module is loaded as a separate synchronous script tag immediately after the main TSJS bundle, so dropping the publisher assets prevents duplicate downloads and avoids races with publisher ad code that tries to load legacy Prebid. The server-injected config (`window.__tsjs_prebid`) is an inline script that runs before both bundles, ensuring configuration is available when the Prebid module auto-initializes.
+When the integration is enabled, the `IntegrationAttributeRewriter` removes any `<script src="prebid*.js">` or `<link href=…>` references that match `script_patterns`. The Prebid module is loaded as a separate `<script defer>` tag after the main TSJS bundle, so dropping the publisher assets prevents duplicate downloads. The server-injected config (`window.__tsjs_prebid`) is an inline script that runs before both bundles, ensuring configuration is available when the deferred Prebid module auto-initializes.
 
 **4. TSJS Assets & Testing**
 
-The NPM integration lives in `crates/js/lib/src/integrations/prebid/index.ts`. Tests typically assert that publisher references disappear and the split `tsjs-prebid.min.js` tag is present.
+The NPM integration lives in `crates/js/lib/src/integrations/prebid/index.ts`. Tests typically assert that publisher references disappear and the deferred `tsjs-prebid.min.js` tag is present.
 
 **5. Hybrid EID forwarding**
 

From 5a90e9a560dcfc51393af0ee86012af68dc7d1af Mon Sep 17 00:00:00 2001
From: Christian Pavilonis <christianpavilonis@outlook.com>
Date: Fri, 19 Jun 2026 15:19:29 -0500
Subject: [PATCH 6/7] Update
 crates/trusted-server-adapter-fastly/src/platform.rs

Co-authored-by: Aram Grigoryan <132480+aram356@users.noreply.github.com>
---
 crates/trusted-server-adapter-fastly/src/platform.rs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/crates/trusted-server-adapter-fastly/src/platform.rs b/crates/trusted-server-adapter-fastly/src/platform.rs
index 4b1a9cf4..d73c4365 100644
--- a/crates/trusted-server-adapter-fastly/src/platform.rs
+++ b/crates/trusted-server-adapter-fastly/src/platform.rs
@@ -309,6 +309,11 @@ fn edge_request_to_fastly(
     let (parts, body) = request.into_parts();
     let mut fastly_req = fastly::Request::new(parts.method, parts.uri.to_string());
     for (name, value) in parts.headers.iter() {
+        // `fastly::Request::new` derives a Host header from the request URI, so
+        // appending the edge request's own Host would leave a duplicate. Replace
+        // it instead to keep the in-memory request well-formed. The Host actually
+        // sent on the wire is still governed by the backend's `override_host`
+        // (see `BackendConfig::ensure`), which forces the value regardless.
         if name == edgezero_core::http::header::HOST {
             fastly_req.set_header(name.as_str(), value.as_bytes());
         } else {

From 604beeab646c7bf77158c2bfbbbd9d7eb53d99c7 Mon Sep 17 00:00:00 2001
From: Christian <christianpavilonis@outlook.com>
Date: Fri, 19 Jun 2026 16:16:28 -0500
Subject: [PATCH 7/7] Add publisher request host override regression test

---
 crates/trusted-server-core/src/publisher.rs | 38 +++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/crates/trusted-server-core/src/publisher.rs b/crates/trusted-server-core/src/publisher.rs
index 93ce75d6..8fb2212f 100644
--- a/crates/trusted-server-core/src/publisher.rs
+++ b/crates/trusted-server-core/src/publisher.rs
@@ -1316,6 +1316,44 @@ mod tests {
         );
     }
 
+    #[tokio::test]
+    async fn publisher_request_sends_configured_host_header_override() {
+        let mut settings = create_test_settings();
+        settings.publisher.origin_host_header_override = Some("www.example.com".to_string());
+        let registry =
+            IntegrationRegistry::new(&settings).expect("should create integration registry");
+        let stub = Arc::new(StubHttpClient::new());
+        stub.push_response(200, b"origin response".to_vec());
+        let services = build_services_with_http_client(
+            Arc::clone(&stub) as Arc<dyn crate::platform::PlatformHttpClient>
+        );
+        let req = HttpRequest::builder()
+            .method(Method::GET)
+            .uri("https://publisher.example/page")
+            .header(header::HOST, "publisher.example")
+            .body(EdgeBody::empty())
+            .expect("should build request");
+
+        let _ = handle_publisher_request(&settings, &registry, &services, req)
+            .await
+            .expect("should proxy publisher request");
+
+        let recorded_headers = stub.recorded_request_headers();
+        let outbound_headers = recorded_headers
+            .first()
+            .expect("should record one outbound request");
+        let outbound_host = outbound_headers
+            .iter()
+            .find(|(name, _)| name.eq_ignore_ascii_case("host"))
+            .map(|(_, value)| value.as_str());
+
+        assert_eq!(
+            outbound_host,
+            Some("www.example.com"),
+            "should send configured host override to outbound request"
+        );
+    }
+
     #[test]
     fn stream_publisher_body_preserves_gzip_round_trip() {
         use flate2::write::GzEncoder;