It's reasonable to give sites the ability to enforce restrictions on framed content. w3c.github.io/webappsec-csp/… will be a safe way of doing so.

It boils down to an `<iframe sandbox>` variant that requires both sides to opt-in. I think it has lots of potential.