Prior to this PR the HTML head was being included twice on the password auth page. One from root.html and another from the error page, so we decoupled those.
