Lock uri.allowed-protocols in Config

Summary: This allows administrative overreach. Administrators can enable `javascript:` and then XSS things if this isn't locked.

Test Plan: Viewed value on web UI, verified it was locked.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D6975

src/applications/config/option/PhabricatorSecurityConfigOptions.php

@@ -124,7 +124,8 @@ final class PhabricatorSecurityConfigOptions
             "whitelist is primarily to prevent security issues like ".
             "javascript:// URIs."))
         ->addExample(
-          '{"http": true, "https": true"}', pht('Valid Setting')),
+          '{"http": true, "https": true"}', pht('Valid Setting'))
+        ->setLocked(true),
        $this->newOption(
          'celerity.resource-hash',
          'string',