Comment 189 for bug 1022741

Comment on attachment 633735
iframe sandbox v17

>+ static PRUint32 ParseSandboxAttributeToFlags(const nsAString&
>+ aSandboxAttr);
Odd indentation. aSandboxAttr should fit in to the previous line.

>+ if (token.LowerCaseEqualsLiteral("allow-scripts")) {
>+ out &= ~SANDBOXED_SCRIPTS;
>+ } else if (token.LowerCaseEqualsLiteral("allow-same-origin")) {
>+ out &= ~SANDBOXED_ORIGIN;
>+ } else if (token.LowerCaseEqualsLiteral("allow-forms")) {
>+ out &= ~SANDBOXED_FORMS;
>+ } else if (token.LowerCaseEqualsLiteral("allow-scripts")) {
>+ // allow-scripts removes both SANDBOXED_SCRIPTS and
>+ // SANDBOXED_AUTOMATIC_FEATURES.
>+ out &= ~SANDBOXED_SCRIPTS;
>+ out &= ~SANDBOXED_AUTOMATIC_FEATURES;
>+ } else if (token.LowerCaseEqualsLiteral("allow-top-navigation")) {
>+ out &= ~SANDBOXED_TOPLEVEL_NAVIGATION;
>+ }
>+ }
>+ }

So why you don't handle allow-popups?
And why you handle allow-scripts twice?
Do you have any tests for not having SANDBOXED_AUTOMATIC_FEATURES?