Secure embedding of private content via a dynamically-set security policy

Disclosed are system architectures and techniques for securely embedding private content via dynamically-set security policy. A streaming service stores associations of particular streaming content with security policies that each specify domains allowed to initiate streaming from the streaming service. Requests for the streaming content are received from user-agents. The streaming service identifies respective security policies associated with each of the streaming content indicated by each of the requests and dynamically sets each security policy in a response. The responses are transmitted back to the user-agent where the security policy is enforced. In some instances, the streaming service is an application streaming service that hosts respective applications for different entities for streaming application content, and the security policies specify domains allowed to initiate application streaming from the application streaming service for the corresponding hosted application. A configuration interface for configuring the permitted domains and other features is also disclosed.