LibWeb: Omit origin check for content document in FrameBox::paint()

Once we paint, it's way too late for this check to happen anyway.

Additionally, the spec's steps for retrieving the content document
assume that both the browsing context's active document and the
container's node document are non-null, which evidently isn't always the
case here, as seen by crashes on the SerenityOS 2nd and 3rd birthday
pages (I'm not sure about the details though).

Fixes #12565.

Userland/Libraries/LibWeb/HTML/BrowsingContextContainer.cpp

@@ -60,4 +60,11 @@ const DOM::Document* BrowsingContextContainer::content_document() const
     return document;
 }
 
+DOM::Document const* BrowsingContextContainer::content_document_without_origin_check() const
+{
+    if (!m_nested_browsing_context)
+        return nullptr;
+    return m_nested_browsing_context->active_document();
+}
+
 }

Userland/Libraries/LibWeb/HTML/BrowsingContextContainer.h

@@ -19,6 +19,7 @@ public:
     const BrowsingContext* nested_browsing_context() const { return m_nested_browsing_context; }
 
     const DOM::Document* content_document() const;
+    DOM::Document const* content_document_without_origin_check() const;
 
     virtual void inserted() override;
 

Userland/Libraries/LibWeb/Layout/FrameBox.cpp

@@ -36,7 +36,7 @@ void FrameBox::paint(PaintContext& context, PaintPhase phase)
     ReplacedBox::paint(context, phase);
 
     if (phase == PaintPhase::Foreground) {
-        auto* hosted_document = dom_node().content_document();
+        auto* hosted_document = dom_node().content_document_without_origin_check();
         if (!hosted_document)
             return;
         auto* hosted_layout_tree = hosted_document->layout_node();