One additonal security mechanism you might suggest:

The opener specifically whitelists the embeder's domain in a response header.