diff --git a/core/modules/media/src/Controller/OEmbedIframeController.php b/core/modules/media/src/Controller/OEmbedIframeController.php
index 0e45d72f043409af7185ec0c805134d015211461..72f2831154b2a12c1dbb04519483300ca824eb3e 100644
--- a/core/modules/media/src/Controller/OEmbedIframeController.php
+++ b/core/modules/media/src/Controller/OEmbedIframeController.php
@@ -3,6 +3,7 @@
 namespace Drupal\media\Controller;
 
 use Drupal\Component\Utility\Crypt;
+use Drupal\Core\Cache\CacheableMetadata;
 use Drupal\Core\Cache\CacheableResponse;
 use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
 use Drupal\Core\Logger\LoggerChannelInterface;
@@ -140,19 +141,26 @@ public function render(Request $request) {
 
       // Render the content in a new render context so that the cacheability
       // metadata of the rendered HTML will be captured correctly.
-      $content = $this->renderer->executeInRenderContext(new RenderContext(), function () use ($resource) {
-        $element = [
-          '#theme' => 'media_oembed_iframe',
-          // Even though the resource HTML is untrusted, IFrameMarkup::create()
-          // will create a trusted string. The only reason this is okay is
-          // because we are serving it in an iframe, which will mitigate the
-          // potential dangers of displaying third-party markup.
-          '#media' => IFrameMarkup::create($resource->getHtml()),
-        ];
+      $element = [
+        '#theme' => 'media_oembed_iframe',
+        // Even though the resource HTML is untrusted, IFrameMarkup::create()
+        // will create a trusted string. The only reason this is okay is
+        // because we are serving it in an iframe, which will mitigate the
+        // potential dangers of displaying third-party markup.
+        '#media' => IFrameMarkup::create($resource->getHtml()),
+        '#cache' => [
+          // Add the 'rendered' cache tag as this response is not processed by
+          // \Drupal\Core\Render\MainContent\HtmlRenderer::renderResponse().
+          'tags' => ['rendered'],
+        ],
+      ];
+      $content = $this->renderer->executeInRenderContext(new RenderContext(), function () use ($resource, $element) {
         return $this->renderer->render($element);
       });
-
-      $response->setContent($content)->addCacheableDependency($resource);
+      $response
+        ->setContent($content)
+        ->addCacheableDependency($resource)
+        ->addCacheableDependency(CacheableMetadata::createFromRenderArray($element));
     }
     catch (ResourceException $e) {
       // Prevent the response from being cached.
diff --git a/core/modules/media/templates/media-oembed-frame.html.twig b/core/modules/media/templates/media-oembed-iframe.html.twig
similarity index 100%
rename from core/modules/media/templates/media-oembed-frame.html.twig
rename to core/modules/media/templates/media-oembed-iframe.html.twig
diff --git a/core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php b/core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php
index dbffaf0c4e38c76bfa943a9463476fb657c6fde9..fbdfe6d175d8bccee015b5bd191b89ea2fde6d78 100644
--- a/core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php
+++ b/core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php
@@ -7,6 +7,7 @@
 use Drupal\media_test_oembed\Controller\ResourceController;
 use Drupal\Tests\media\Traits\OEmbedTestTrait;
 use Drupal\user\Entity\Role;
+use Symfony\Component\DependencyInjection\ContainerInterface;
 
 /**
  * Tests the oembed:video media source.
@@ -30,6 +31,18 @@ protected function setUp() {
     $this->lockHttpClientToFixtures();
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  protected function initConfig(ContainerInterface $container) {
+    parent::initConfig($container);
+
+    // Enable twig debugging to make testing template usage easy.
+    $parameters = $container->getParameter('twig.config');
+    $parameters['debug'] = TRUE;
+    $this->setContainerParameter('twig.config', $parameters);
+  }
+
   /**
    * Tests the oembed media source.
    */
@@ -135,6 +148,16 @@ public function testMediaOEmbedVideoSource() {
     // 'view media' permission.
     $this->drupalGet('media/oembed', ['query' => $query]);
     $assert_session->pageTextContains('By the power of Greyskull, Vimeo works!');
+    $this->assertRaw('core/themes/stable/templates/content/media-oembed-iframe.html.twig');
+    $this->assertNoRaw('core/modules/media/templates/media-oembed-iframe.html.twig');
+
+    // Test themes not inheriting from stable.
+    \Drupal::service('theme_handler')->install(['stark']);
+    $this->config('system.theme')->set('default', 'stark')->save();
+    $this->drupalGet('media/oembed', ['query' => $query]);
+    $assert_session->pageTextContains('By the power of Greyskull, Vimeo works!');
+    $this->assertNoRaw('core/themes/stable/templates/content/media-oembed-iframe.html.twig');
+    $this->assertRaw('core/modules/media/templates/media-oembed-iframe.html.twig');
 
     // Remove the 'view media' permission to test that this restricts access.
     $role = Role::load(AccountInterface::ANONYMOUS_ROLE);