diff --git a/Gopkg.toml b/Gopkg.toml
index 337f38647b674477ecaff63ffbaffde951e289c7..304c6fe972d27650c32eeb6035703610a6295831 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -25,7 +25,7 @@
 #   unused-packages = true
 
 [[constraint]]
-  branch = "master"
+  branch = "iframe-security"
   name = "code.vereign.com/code/restful-api"
 
 [prune]
diff --git a/javascript/src/iframe/viamapi-iframe.js b/javascript/src/iframe/viamapi-iframe.js
index d7c90e2bf9fc405a16d7cb37252b44b869192be0..1830dfa1bf4fa82005e918b05456048bc1bef53d 100644
--- a/javascript/src/iframe/viamapi-iframe.js
+++ b/javascript/src/iframe/viamapi-iframe.js
@@ -546,7 +546,7 @@ function getCertificateForPassport(passportUUID, internal) {
 const connection = Penpal.connectToParent({
   // Methods child is exposing to parent
   methods: {
-    initialize: (apiUrl, wopiUrl, collaboraUrl) => {
+    initialize: async (apiUrl, wopiUrl, collaboraUrl) => {
       if (!apiUrl) {
         apiUrl = `${window.location.origin}/api/`;
         console.warn(`API host URL not specified. Fall back to ${apiUrl}`); // eslint-disable-line no-console
@@ -572,6 +572,28 @@ const connection = Penpal.connectToParent({
         collaboraUrl.charAt(collaboraUrl.length - 1) === "/"
           ? collaboraUrl
           : collaboraUrl + "/";
+
+      const { code, data: { domains: permittedDomains }} = await penpalMethods.identityGetPermittedDomains();
+
+      if (code !== "200") {
+        throw new Error("Unable to retrieve a list of permitted domains.")
+      }
+
+      if (permittedDomains && permittedDomains.length) {
+        const iframeOrigin = document.referrer;
+        let iframeOriginIsPermitted = false;
+
+        for (const domain of permittedDomains) {
+          if (iframeOrigin.includes(domain)) {
+            iframeOriginIsPermitted = true;
+            break;
+          }
+        }
+
+        if (!iframeOriginIsPermitted) {
+          throw new Error(`Iframe origin "${iframeOrigin}" is not permitted.`)
+        }
+      }
     },
     ...penpalMethods,
     createIdentity(pinCode) {
@@ -2589,7 +2611,7 @@ connection.promise.then(parent => {
           false
         );
 
-        await setCurrentlyLoadedIdentity(identity);
+        !window.currentlyLoadedIdentity && await setCurrentlyLoadedIdentity(identity);
 
         if (!identityAuthenticatedEvent && identity) {
           const event = createEvent("IdentityAuthenticated", "Authenticated", [