Dear René,
Thank you very much for this great job !
I have a couple of questions about double tagging :
To be effective and exploited, this attack means that the attacker frame is not already in a port with a vlan other than the native vlan ?
In this sentence : “When the switch receives the frame, it will remove the first 802.1Q tag and forwards the frame with the second 802.1Q tag on its trunk interface(s).” Why the switch remove the first tag when this one " enter " the trunk ? Removing tags occurs when the frame exit the trunk for being delivered to the destination host ? Isn’t it ?
If it is a " native vlan " does the switch remove the tag at the entry of the trunk ? We use the native vlan to specify untagged frames ?
To be honest, not very clear for me 
Prince