Secure cross-frame communication between frames in a web browser may be achieved using encryption. The communication may occur between frames that pass messages to one another via an untrusted, and potentially malicious, intermediary. To prevent an intermediary from reading the content of messages, frames may agree on and use a shared secret encryption key to encrypt messages. This key may be created by passing tokens between frames that want to securely communicate.