diff --git a/content/html/content/src/HTMLIFrameElement.cpp b/content/html/content/src/HTMLIFrameElement.cpp
index 132739ae9a6..a728d0bb7f5 100644
--- a/content/html/content/src/HTMLIFrameElement.cpp
+++ b/content/html/content/src/HTMLIFrameElement.cpp
@@ -43,7 +43,6 @@ NS_IMPL_STRING_ATTR(HTMLIFrameElement, Scrolling, scrolling)
 NS_IMPL_URI_ATTR(HTMLIFrameElement, Src, src)
 NS_IMPL_STRING_ATTR(HTMLIFrameElement, Width, width)
 NS_IMPL_BOOL_ATTR(HTMLIFrameElement, AllowFullscreen, allowfullscreen)
-NS_IMPL_STRING_ATTR(HTMLIFrameElement, Sandbox, sandbox)
 NS_IMPL_STRING_ATTR(HTMLIFrameElement, Srcdoc, srcdoc)
 
 void
@@ -98,6 +97,10 @@ HTMLIFrameElement::ParseAttribute(int32_t aNamespaceID,
     if (aAttribute == nsGkAtoms::align) {
       return ParseAlignValue(aValue, aResult);
     }
+    if (aAttribute == nsGkAtoms::sandbox) {
+      aResult.ParseAtomArray(aValue);
+      return true;
+    }
   }
 
   return nsGenericHTMLFrameElement::ParseAttribute(aNamespaceID, aAttribute,
@@ -211,20 +214,11 @@ HTMLIFrameElement::AfterSetAttr(int32_t aNameSpaceID, nsIAtom* aName,
                                 const nsAttrValue* aValue,
                                 bool aNotify)
 {
-  if (aName == nsGkAtoms::sandbox && aNameSpaceID == kNameSpaceID_None) {
-    // If we have an nsFrameLoader, parse the new value of the sandbox
-    // attribute and apply the new sandbox flags.
-    if (mFrameLoader) {
-      // If a nullptr aValue is passed in, we want to clear the sandbox flags
-      // which we will do by setting them to 0.
-      uint32_t newFlags = 0;
-      if (aValue) {
-        nsAutoString strValue;
-        aValue->ToString(strValue);
-        newFlags = nsContentUtils::ParseSandboxAttributeToFlags(strValue);
-      }   
-      mFrameLoader->ApplySandboxFlags(newFlags);
-    }
+  if (aName == nsGkAtoms::sandbox && aNameSpaceID == kNameSpaceID_None && mFrameLoader) {
+    // If we have an nsFrameLoader, apply the new sandbox flags.
+    // Since this is called after the setter, the sandbox flags have
+    // alreay been updated.
+    mFrameLoader->ApplySandboxFlags(GetSandboxFlags());
   }
   return nsGenericHTMLElement::AfterSetAttr(aNameSpaceID, aName, aValue,
                                             aNotify);
diff --git a/content/html/content/src/HTMLIFrameElement.h b/content/html/content/src/HTMLIFrameElement.h
index 54884319b75..3fe60c67630 100644
--- a/content/html/content/src/HTMLIFrameElement.h
+++ b/content/html/content/src/HTMLIFrameElement.h
@@ -9,6 +9,7 @@
 #include "mozilla/Attributes.h"
 #include "nsGenericHTMLFrameElement.h"
 #include "nsIDOMHTMLIFrameElement.h"
+#include "nsDOMSettableTokenList.h"
 
 namespace mozilla {
 namespace dom {
@@ -77,9 +78,9 @@ public:
   {
     SetHTMLAttr(nsGkAtoms::name, aName, aError);
   }
-  void GetSandbox(DOMString& aSandbox)
+  nsDOMSettableTokenList* Sandbox()
   {
-    GetHTMLAttr(nsGkAtoms::sandbox, aSandbox);
+    return GetTokenList(nsGkAtoms::sandbox);
   }
   bool AllowFullscreen() const
   {
diff --git a/content/html/content/test/test_iframe_sandbox_general.html b/content/html/content/test/test_iframe_sandbox_general.html
index 93b23dbb60f..bb9bcb1ff7a 100644
--- a/content/html/content/test/test_iframe_sandbox_general.html
+++ b/content/html/content/test/test_iframe_sandbox_general.html
@@ -91,8 +91,8 @@ function doTest() {
   ok_wrapper("sandbox" in ifr, "a new iframe should have a sandbox attribute");
 
   // passes if good
-  // 11) test that the sandbox attribute's default value is an empty string
-  ok_wrapper(ifr.sandbox === "", "default sandbox attribute should be an empty string");
+  // 11) test that the sandbox attribute's default stringyfied value is an empty string
+  ok_wrapper(ifr.sandbox.length === 0 && ifr.sandbox == "", "default sandbox attribute should be an empty string");
 
   // passes if good
   // 12) test that a sandboxed iframe with 'allow-forms' can submit forms
diff --git a/dom/interfaces/html/nsIDOMHTMLIFrameElement.idl b/dom/interfaces/html/nsIDOMHTMLIFrameElement.idl
index 645da48e78c..3bcf32909f0 100644
--- a/dom/interfaces/html/nsIDOMHTMLIFrameElement.idl
+++ b/dom/interfaces/html/nsIDOMHTMLIFrameElement.idl
@@ -34,7 +34,5 @@ interface nsIDOMHTMLIFrameElement : nsISupports
   readonly attribute nsIDOMDocument   contentDocument;
   readonly attribute nsIDOMWindow     contentWindow;
 
-           attribute DOMString        sandbox;
-
            attribute boolean          allowFullscreen;
 };
diff --git a/dom/webidl/HTMLIFrameElement.webidl b/dom/webidl/HTMLIFrameElement.webidl
index 1f68b0e4c25..a663f7b883d 100644
--- a/dom/webidl/HTMLIFrameElement.webidl
+++ b/dom/webidl/HTMLIFrameElement.webidl
@@ -18,9 +18,7 @@ interface HTMLIFrameElement : HTMLElement {
            attribute DOMString srcdoc;
   [SetterThrows, Pure]
            attribute DOMString name;
-  // [PutForwards=value] readonly attribute DOMSettableTokenList sandbox;
-  // We're implementing sandbox as a string for now, see bug 845057.
-  attribute DOMString sandbox;
+  [PutForwards=value] readonly attribute DOMSettableTokenList sandbox;
            // attribute boolean seamless;
   [SetterThrows, Pure]
            attribute boolean allowFullscreen;