getSVGDocument() and content document use slightly different security checks

[annevk]

I wanted to refactor getSVGDocument() to use the content document concept, but the former uses the origin of the container's node document and the latter uses the current settings object's origin.

I suspect that implementations are better than this and have only one security check, but this needs to be tested. I think the difference can be tested by grabbing a reference and then changing the origin of the "current script" while not changing the origin of the container's node document or its nested browsing context.