HTML typemustmatch Attribute

Beginner
⏱️ 5 min read
📚 Updated: Jun 2026
🎯 3 Examples
Embedded Media

Introduction

The typemustmatch attribute is used on the <object> element to ensure that an external resource’s MIME type matches the value declared in the type attribute. When present, the browser should only embed the resource if the types agree.

This helps improve security and reliability when embedding PDFs, videos, or other external files. If the server returns unexpected content (for example, HTML disguised as a PDF), strict matching can block the embed and show your fallback message instead.

What You’ll Learn

01

object only

Not for inputs.

02

Boolean

On or off.

03

With type

MIME must match.

04

Fallback

Inner HTML.

05

JavaScript

typeMustMatch.

06

Security

Extra layer.

Purpose of typemustmatch

The primary purpose of the typemustmatch attribute is to enforce strict type checking for embedded resources. When this attribute is set on <object>, the browser should load the resource only if its MIME type matches the specified type attribute. This can prevent unintended or malicious content from being rendered inside the object.

Without typemustmatch, some browsers may still attempt to use a resource even when the declared type and actual content disagree. Adding the attribute makes your intent explicit.

💡
Not for file inputs

typemustmatch applies to <object>, not <input type="file">. File upload filtering uses the separate accept attribute.

📝 Syntax

Use typemustmatch on <object> together with data and type:

index.html
<object data="example.pdf" type="application/pdf" typemustmatch>
  <p>Your browser does not support PDFs.
    <a href="example.pdf">Download the PDF</a>.
  </p>
</object>

Syntax Rules

  • Boolean attribute — presence means true; omit for default (false).
  • Requires both data (resource URL) and type (expected MIME type).
  • Always provide fallback content inside <object> for unsupported or blocked resources.
  • JavaScript property: HTMLObjectElement.typeMustMatch (camelCase).
  • Use accurate MIME types (e.g. application/pdf, video/mp4, image/svg+xml).
  • Pair with Content Security Policy and trusted sources for defense in depth.

💎 Values

The typemustmatch attribute is a boolean attribute. It does not take meaningful string values:

  • Present (typemustmatch or typemustmatch="") — Enforce strict MIME type matching.
  • Absent — Type matching is not strictly enforced (browser default behavior).
boolean.html
<!-- Enforced -->
<object data="doc.pdf" type="application/pdf" typemustmatch>...</object>

<!-- Not enforced -->
<object data="doc.pdf" type="application/pdf">...</object>

⚡ Quick Reference

SettingBehaviorWhen to use
typemustmatch presentResource MIME must match typeUntrusted or user-supplied URLs
Attribute absentBrowser may load despite mismatchTrusted same-origin assets only
With fallback HTMLUser sees download link or messageAlways recommended
typeMustMatch = trueEnable via JavaScriptConditional strict mode
Common MIME typesapplication/pdf, video/mp4PDF and video embeds
Element<object> onlyNot global

Applicable Elements

ElementSupported?Notes
<object>YesPrimary and only standard use; requires data + type
<embed>NoUse type alone; no typemustmatch
<iframe>NoDifferent embedding model; use CSP and sandbox
<input type="file">NoUse accept for file picker hints
<link>, <script>NoNot applicable

typemustmatch vs type vs accept

AttributeElementRole
type<object>Declares expected MIME type of data
typemustmatch<object>Forces actual MIME to match declared type
accept<input type="file">Filters file picker extensions/MIME types
type<input>Defines input control kind (text, email, etc.)

Examples Gallery

Embed a PDF with strict matching, enable typemustmatch from JavaScript, and see fallback content when types disagree.

👀 Live Preview

Markup for an <object> with PDF type and strict matching (fallback text shown if embed is blocked):

<object data="report.pdf" type="application/pdf" typemustmatch>
  Download link fallback
</object>

Implementation Example

A simple PDF embed with typemustmatch and accessible fallback:

index.html
<object data="example.pdf" type="application/pdf" typemustmatch>
  <p>Your browser does not support PDFs.
    <a href="example.pdf">Download the PDF</a>.
  </p>
</object>

How It Works

The browser fetches example.pdf and checks its Content-Type. With typemustmatch, the embed succeeds only when the response is application/pdf. Otherwise the inner paragraph and download link are shown.

Dynamic Values with JavaScript

Enable strict matching programmatically when conditions are met:

dynamic.html
<object id="dynamicObject" data="example.pdf" type="application/pdf">
  <p>Fallback content</p>
</object>

<script>
  document.getElementById("dynamicObject").typeMustMatch = true;
</script>

How It Works

The object starts without strict checking. Setting typeMustMatch = true (or setAttribute("typemustmatch", "")) turns on the same behavior as the HTML boolean attribute.

Example — type mismatch and fallback

When declared type and actual MIME disagree, fallback content appears:

mismatch.html
<object data="report.pdf" type="video/mp4" typemustmatch>
  <p>Resource type did not match. <a href="report.pdf">Download anyway</a>.</p>
</object>

How It Works

A PDF file cannot satisfy type="video/mp4". With typemustmatch, the browser blocks the embed and renders the fallback paragraph instead of treating the file as video.

♿ Accessibility

  • Always include fallback content — Provide a text description and a download link when the embed cannot load.
  • Do not rely on plugins alone — Many users cannot view embedded PDFs or legacy plugin content; offer alternatives.
  • Use descriptive link text — “Download the annual report (PDF)” is clearer than “click here.”
  • Consider <iframe> or native viewers — For critical documents, a dedicated viewer page may be more accessible than <object>.
  • Announce blocked content — Fallback messages should explain why the embed failed in plain language.

🧠 How typemustmatch Works

1

Set data + type

URL and MIME hint.

HTML
2

Add typemustmatch

Strict mode on.

Boolean
3

Browser compares MIME

Match or block.

Check
=

Safer embed

Or fallback.

Browser Support

The typemustmatch attribute is supported in modern browsers for <object> elements. Behavior depends on how each browser handles object embedding and MIME sniffing; always test with real resources and provide fallback content.

Good · Modern browsers

Supported where object embedding is used

Test across browsers when embedding user-controlled URLs. Combine with CSP for stronger protection.

90% Modern browsers
Google Chrome Supported
Supported
Mozilla Firefox Supported
Supported
Apple Safari Supported
Supported
Microsoft Edge Supported
Supported
typemustmatch on <object> Good

Bottom line: Safe to use with fallback content; verify behavior when embedding third-party or user-supplied files.

💡 Best Practices

✅ Do

  • Use typemustmatch when embedding external or user-chosen URLs
  • Always pair with accurate type MIME values
  • Provide meaningful fallback HTML inside <object>
  • Combine with Content Security Policy (CSP)
  • Test across browsers with real files

❌ Don’t

  • Confuse it with accept on file inputs
  • Assume it replaces server-side validation
  • Embed untrusted content without CSP or sandboxing
  • Leave <object> empty when embed fails
  • Guess MIME types — use correct values from the spec
  • Use typemustmatch to enhance security by ensuring only the intended resource type is loaded.
  • Combine it with other measures like Content Security Policy to further protect pages from malicious content.
  • Test your implementation across different browsers to ensure consistent behavior.

🎉 Conclusion

The typemustmatch attribute is a useful feature for ensuring that embedded resources match their specified MIME types on <object> elements. By enforcing this check, you can enhance the security and reliability of your web pages.

Understanding how to use this attribute, both statically in HTML and dynamically with JavaScript, helps you control embedded content and give users clear fallback options when a resource cannot be displayed.

Key Takeaways

Knowledge Unlocked

4 truths every developer should know about typemustmatch

Bookmark these before your next typemustmatch implementation.

4
Core concepts
📝 02

Boolean attribute

It is a boolean attribute that requires the resource MIME type to match type.

Syntax
⚙️ 03

Always include fallback content

Always include fallback content inside <object> for blocked or unsupported embeds.

Usage
🔒 04

JavaScript API

In JavaScript, use objectElement.typeMustMatch = true to enable strict matching.

Dynamic

❓ Frequently Asked Questions

No. File upload filtering uses the accept attribute on <input type="file">. typemustmatch is only for <object> elements.
Use type="application/pdf" together with your PDF URL in the data attribute.
With typemustmatch, the browser should refuse to embed the resource and show your fallback content. Without it, behavior may vary.
Set objectElement.typeMustMatch = false or call removeAttribute("typemustmatch").
It is one layer. Also use CSP, trusted sources, HTTPS, and server-side validation. Never embed arbitrary user URLs without additional safeguards.

Practice object embedding

Try the PDF embed example, then enable typemustmatch with JavaScript.

Try the PDF example →

About the author

Mari Selvan M P
Mari Selvan M P 🔗

Developer, cloud engineer, and technical writer

  • Experience 12 years building web and cloud systems
  • Focus Full Stack Development, AWS, and Developer Education

I write practical tutorials so students and working developers can learn by doing—from databases and APIs to deployment on AWS.

5 people found this page helpful