Admin interface: Explain that safety settings need to be lowered to display QR code

[eloquence]

See #1574 for previous issues with SVGs, however, this one is still open. When creating an account, we render a QR code for FreeOTP. That QR code is an inline SVG, which Tor just quietly ignores if safety settings are at "safest". We should instruct users on this page to temporarily lower safety settings to display the code, at least until we have a better solution.

Steps to reproduce

Go to admin interface, add an account, and confirm the first step. On the resulting page, the following text is shown:

Your phone will now be in "scanning" mode. When you are in this mode, scan the barcode below:

If Tor is at the safest security settings, no QR code will be shown below.

User Stories

As a SecureDrop administrator, I want to be able to help users scan 2FA QR codes, so that I can onboard them onto the system.

[heartsucker]

I wonder if it would make more sense to install the dependency that lets us render the QR code to a PNG instead of trying to train a journalist to mess with the security settings in Tor Browser. I think it may be long term problematic to train someone to trust any website that's saying "hey, undo this security countermeasure."

[eloquence]

I agree that not rendering inline SVG which we know Tor doesn't like is the preferred fix. Do you have time to take a crack at that? I'm (as usual) a little worried about squeezing it into 0.7, and I would prefer to at least have an interim explanation on the page go out with that release, because the solution when a user encounters this issue is completely non-obvious.

One note -- AFAIK this only happens during account creation, so the user who would likely perform the action of changing the safety settings is the SecureDrop administrator, not a journalist user (unless of course they are the same person).

[heartsucker]

I started looking in to this, and it doesn't look trivial. You might want to update the docs in preparation for this not making it into the 0.7 release.

[redshiftzero]

Good observation @eloquence! So note that this item is included in the (now more clearly named) #1476. The bad news is that this is just one of several areas on the Journalist and Admin interfaces where the images break - the other being almost all the icons. Also as you probably know, that some functionality on the Journalist Interface requires JavaScript, though things won't look broken if JavaScript is disabled.

The good news is that the Journalist and Admins are actually not instructed to set the Security Slider to High (whereas sources are instructed to turn the Security Slider via the banner that appears along the top of the interface). That said, I do think a note in the docs would be a good contribution, in case journalists/admins do turn the security slider to high and wonder why some images don't render.