Proxy-excluded urls should be excluded at all by default.
The presence of any non-proxied addresses makes it possible combined attack in the Web 2.0 with quasi remote attacker. It is better to clear all the addresses available to bypass proxy.
But a clean default setting is dangerous, according to coderman. However, under the existing mechanism in the Firefox, even desirable to keep default values in the list no_proxies_on. As example lets be supposed yaydomain is excluded, then x.yaydomain and x.yyaydomain to bypassed proxy too.
Alternative control of excluded hosts: to clear no_proxies_on, intercept of the all requests, so that except a proxy settings for strictly "yaydomain" address or completely blocking it, all others to pass without changes.
[Automatically added by flyspray2trac: Operating System: All]
Trac:
Username: OTU