fix(react-dom): check if iframe belongs to the same origin

The try / catch block doesn't catch cross domain security error but it
doesn't affect the code execution flow. This mean that the code after
the try / catch block will be executed.

We can do the following To check if the parent page has access to the iframe document:

``javascript`
  let hasAccessToDocument = false; // declare an unitialized variable
  try {
    iframe.contentWindow.location.href; // try to access the iframe
property
    hasAccessToDocument = href != null; // This line will be executed if
it has access
  } catch (err) {
    // Catch block is not executed since the browser throws a cross-domain error
  }

  return hasAccessToDocument; // This value will be set to true if the parent page has access to the
iframe content.
```

Author: renanvalentin

packages/react-dom/src/client/ReactInputSelection.js

@@ -40,14 +40,31 @@ function isInDocument(node) {
   );
 }
 
+function isSameOriginFrame(iframe) {
+  let hasAccessToDocument = false;
+  try {
+    const href = iframe.contentWindow.location.href;
+    // This line is only invoked if the iframe belongs to the same domain
+    hasAccessToDocument = href != null;
+  } catch (err) {
+    // Catch block is not executed since the browser throws a cross-domain error
+  }
+
+  return hasAccessToDocument;
+}
+
 function getActiveElementDeep() {
   let win = window;
   let element = getActiveElement();
   while (element instanceof win.HTMLIFrameElement) {
     // Accessing the contentWindow of a HTMLIframeElement can cause the browser
     // to throw, e.g. if it has a cross-origin src attribute
     try {
-      win = element.contentWindow;
+      if (isSameOriginFrame(element)) {
+        win = element.contentWindow;
+      } else {
+        return element;
+      }
     } catch (e) {
       return element;
     }