[scanner integration] Add support for "moderate" and "severe" warnings on directory entry pages

[eloquence]

Part of epic #488. In some cases, depending on the results of a landing page scan, we want to show warnings on the directory entry pages (icons from #489):

Icon	Warning type
	Severe warning. The user should only visit the landing page with the Tor browser set to "safest".
	Moderate warning. The user should only visit the landing page with the Tor browser.

Warning display logic

Any landing page scan may trigger a combination of 0..n moderate warnings, and 0..n severe warnings.

Regardless of the number of warnings, only a single icon should be shown (severe if any severe warnings are triggered, moderate if only moderate warnings are triggered). Next to the icon, the specific messages should be shown, such as "This SecureDrop landing page is hosted on a subdomain (etc.)."

Finally, at the end of the warning messages, a security recommendation should be shown. If a severe warning was triggered, the security recommendation should read:

"We strongly advise you to only visit this landing page using the Tor browser, with the safety slider set to "safest"."

If only moderate warnings were triggered, the security recommendation should read:

"We recommend only visiting this SecureDrop landing page using the Tor browser."

These messages should be displayed in close proximity to the landing page.

Whitelisting

In some cases, it will be necessary to suppress specific warnings. It may be useful to implement support for this in a generic fashion. The first case where we anticipate a need for this is the use of subdomains (#497), as it is sometimes innocuous.

Warning flag

The warnings should initially be off by default, and displayed through a per-request flag. See #489 for implementation details.

User stories

• As a source, I want to be given concrete, clear and relevant security recommendations when browsing SecureDrop landing pages, so I can avoid accidentally exposing myself to risks.

[harrislapiroff]

Here's my proposed design for this:

Hover should go all red, like so:

For moderate warnings, basically the same design, but yellow.

A couple questions for @eloquence and maybe @redshiftzero:

• Should we display this error differently if the user is already on Tor?
• Should we hide the button initially and require the user to explicitly confirm "I understand the risk"?

[eloquence]

This looks great! Note that subdomains would get a moderate warning (#497) not a severe one per current spec, but I understand it's just an example.

Both of the improvements you identify sound potentially worthwhile to me, but I would suggest focusing on the core functionality for now so we can get a version ready for preview by news organizations. During the significant wait time while we give them an opportunity to fix issues detected by the scanner, we can make some additional functional and cosmetic improvements.