Add permissions initializer and missing image paste controller

config/initializers/permissions_policy.rb

@@ -0,0 +1,19 @@
+# Configure the Permissions-Policy header
+# See https://api.rubyonrails.org/classes/ActionDispatch/PermissionsPolicy.html
+
+Rails.application.config.permissions_policy do |f|
+  # Disable sensitive browser features for security
+  f.camera           :none
+  f.gyroscope        :none
+  f.microphone       :none
+  f.payment          :none
+  f.usb              :none
+  f.magnetometer     :none
+
+  # You can enable specific features as needed:
+  # f.fullscreen      :self
+  # f.geolocation     :self
+
+  # You can also allow specific origins:
+  # f.payment         :self, "https://secure.example.com"
+end