Revert unintentional switching to element document in an AllowedByNosniff call

In classic_pending_script.cc, [1] uses
GetElement()->GetDocument().Fetcher()->Context()
which corresponds to the element document, while before [1] it was
GetElement()->GetDocument().ContextDocument()
which corresponds to the context document.

This CL reverts this change and uses the context document, and
adds a regression test derived from a clusterfuzz test case.

[1] https://chromium-review.googlesource.com/1351873

Bug: 912046, 880027
Change-Id: I92ca9723c3fdd1c5d9c304e4e196aeb77c75ee88
Reviewed-on: https://chromium-review.googlesource.com/c/1364050Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/master@{#614279}

third_party/blink/renderer/core/script/classic_pending_script.cc

@@ -333,7 +333,7 @@ ClassicScript* ClassicPendingScript::GetSource(const KURL& document_url) const {
 
   // If the MIME check fails, which is considered as load failure.
   if (!AllowedByNosniff::MimeTypeAsScript(
-          GetElement()->GetDocument().Fetcher()->Context(),
+          GetElement()->GetDocument().ContextDocument()->Fetcher()->Context(),
           resource->GetResponse(), AllowedByNosniff::MimeTypeCheck::kLax,
           false)) {
     return nullptr;

third_party/blink/web_tests/http/tests/misc/script-moved-to-createDocument-crash.html

+<!DOCTYPE HTML>
+<html>
+<script src="../resources/testharness.js"></script>
+<script src="../resources/testharnessreport.js"></script>
+<script async id="script" src="resources/script-slow1.pl"></script>
+<script>
+async_test(t => t.step_timeout(() => t.done(), 3000),
+           "Moving a script to a createDocument()ed Document " +
+           "during fetch shouldn't crash");
+const doc = document.implementation.createDocument("", null);
+doc.appendChild(document.getElementById("script"));
+</script>