diff --git a/www/common/sframe-common-outer.js b/www/common/sframe-common-outer.js
index 7351a2485..1a380e0a0 100644
--- a/www/common/sframe-common-outer.js
+++ b/www/common/sframe-common-outer.js
@@ -8,7 +8,41 @@ define([
 ], function (nThen, ApiConfig, RequireConfig, Messages, $) {
     var common = {};
 
+    var embeddableApps = [
+        //'calendar',
+        'code',
+        //'doc', // XXX
+        // 'drive',  // XXX
+        //'file', // doesn't suggest iframes
+        'form',
+        'kanban',
+        'pad',
+        // 'poll', // XXX
+        //'presentation', // XXX
+        // 'sheet', // XXX
+        'slide',
+        //'teams', // XXX
+        'whiteboard',
+    ].map(function (x) {
+        return `/${x}/`; // XXX intentionally break IE or anything that doesn't support template literals
+    });
+
     common.initIframe = function (waitFor, isRt, pathname) {
+        if (window.top !== window) {
+            if (ApiConfig.disableEmbedding) {
+                return void window.alert(`This CryptPad instance's administrators have disabled remote embedding of its editors.`);
+            }
+            // even where embedding is not forbidden it should still be limited
+            // to apps that are explicitly permitted
+            if (!embeddableApps.includes(window.location.pathname)) {
+                return void window.alert(`Embedding this CryptPad editor in remote pages is not supported.`);
+            }
+        }
+
+        if (window.location.origin !== ApiConfig.httpUnsafeOrigin) {
+            return void window.alert(`This page is configured to only be accessed via ${ApiConfig.httpUnsafeOrigin}.`);
+        }
+
         var requireConfig = RequireConfig();
         var lang = Messages._languageUsed;
         var themeKey = 'CRYPTPAD_STORE|colortheme';
diff --git a/www/debug/main.js b/www/debug/main.js
index 6f855e1db..124ea39f9 100644
--- a/www/debug/main.js
+++ b/www/debug/main.js
@@ -13,6 +13,9 @@ define([
     '/common/common-interface.js',
 ], function (nThen, ApiConfig, $, RequireConfig, SFCommonO,
     Cryptpad, Util, Hash, Realtime, Constants, UI) {
+    if (window.top !== window) {
+        return void window.alert(`If you are seeing this message then somebody might be trying to compromise your CryptPad account. Please contact the CryptPad development team.`);
+    }
 
     window.Cryptpad = {
         Common: Cryptpad,
diff --git a/www/login/main.js b/www/login/main.js
index df0be1733..1a27343fc 100644
--- a/www/login/main.js
+++ b/www/login/main.js
@@ -10,6 +10,7 @@ define([
 
     'css!/bower_components/components-font-awesome/css/font-awesome.min.css',
 ], function ($, Cryptpad, Login, UI, Realtime, Feedback, LocalStore /*, Test */) {
+    if (window.top !== window) { return; }
     $(function () {
         var $checkImport = $('#import-recent');
         if (LocalStore.isLoggedIn()) {
diff --git a/www/register/main.js b/www/register/main.js
index 301306f70..8edbaab92 100644
--- a/www/register/main.js
+++ b/www/register/main.js
@@ -14,6 +14,7 @@ define([
 
     'css!/bower_components/components-font-awesome/css/font-awesome.min.css',
 ], function ($, Login, Cryptpad, /*Test,*/ Cred, UI, Util, Realtime, Constants, Feedback, LocalStore, h) {
+    if (window.top !== window) { return; }
     var Messages = Cryptpad.Messages;
     $(function () {
         if (LocalStore.isLoggedIn()) {