SimplePolicy lets Announces through from rejected domains
Consider an Announce activity like this:
{
"type": "Announce",
"actor": "https://poa.st/users/graf",
"object": {
"type": "Note",
"actor": "https://gleasonator.com/users/alex"
}
}
If poa.st is our homeserver, and we configure our policy like this:
config :pleroma, :mrf_simple,
reject: ["gleasonator.com"]
...the above activity will still go through, even though the object belongs to a blacklisted domain.
This is because SimplePolicy only checks the actor of the activity, and not the object.