diff --git a/src/wp-includes/js/wp-embed.js b/src/wp-includes/js/wp-embed.js
index 50471c714b..985f0b801d 100644
--- a/src/wp-includes/js/wp-embed.js
+++ b/src/wp-includes/js/wp-embed.js
@@ -22,6 +22,10 @@
 			return;
 		}
 
+		if ( /[^a-zA-Z0-9]/.test( data.secret ) ) {
+			return;
+		}
+
 		var iframes = document.querySelectorAll( 'iframe[data-secret="' + data.secret + '"]' ),
 			blockquotes = document.querySelectorAll( 'blockquote[data-secret="' + data.secret + '"]' ),
 			i, source, height, sourceURL, targetURL;
@@ -33,6 +37,10 @@
 		for ( i = 0; i < iframes.length; i++ ) {
 			source = iframes[ i ];
 
+			if ( e.source !== source.contentWindow ) {
+				continue;
+			}
+
 			source.style.display = '';
 
 			/* Resize the iframe on request. */