👀 Live Preview
Markup for an <object> with PDF type and strict matching (fallback text shown if embed is blocked):
Download link fallback
</object>

The typemustmatch attribute is used on the <object> element to ensure that an external resource’s MIME type matches the value declared in the type attribute. When present, the browser should only embed the resource if the types agree.
This helps improve security and reliability when embedding PDFs, videos, or other external files. If the server returns unexpected content (for example, HTML disguised as a PDF), strict matching can block the embed and show your fallback message instead.
Not for inputs.
On or off.
MIME must match.
Inner HTML.
typeMustMatch.
Extra layer.
typemustmatchThe primary purpose of the typemustmatch attribute is to enforce strict type checking for embedded resources. When this attribute is set on <object>, the browser should load the resource only if its MIME type matches the specified type attribute. This can prevent unintended or malicious content from being rendered inside the object.
Without typemustmatch, some browsers may still attempt to use a resource even when the declared type and actual content disagree. Adding the attribute makes your intent explicit.
typemustmatch applies to <object>, not <input type="file">. File upload filtering uses the separate accept attribute.
Use typemustmatch on <object> together with data and type:
<object data="example.pdf" type="application/pdf" typemustmatch>
<p>Your browser does not support PDFs.
<a href="example.pdf">Download the PDF</a>.
</p>
</object>true; omit for default (false).data (resource URL) and type (expected MIME type).<object> for unsupported or blocked resources.HTMLObjectElement.typeMustMatch (camelCase).application/pdf, video/mp4, image/svg+xml).The typemustmatch attribute is a boolean attribute. It does not take meaningful string values:
typemustmatch or typemustmatch="") — Enforce strict MIME type matching.<!-- Enforced -->
<object data="doc.pdf" type="application/pdf" typemustmatch>...</object>
<!-- Not enforced -->
<object data="doc.pdf" type="application/pdf">...</object>| Setting | Behavior | When to use |
|---|---|---|
typemustmatch present | Resource MIME must match type | Untrusted or user-supplied URLs |
| Attribute absent | Browser may load despite mismatch | Trusted same-origin assets only |
| With fallback HTML | User sees download link or message | Always recommended |
typeMustMatch = true | Enable via JavaScript | Conditional strict mode |
| Common MIME types | application/pdf, video/mp4 | PDF and video embeds |
| Element | <object> only | Not global |
| Element | Supported? | Notes |
|---|---|---|
<object> | Yes | Primary and only standard use; requires data + type |
<embed> | No | Use type alone; no typemustmatch |
<iframe> | No | Different embedding model; use CSP and sandbox |
<input type="file"> | No | Use accept for file picker hints |
<link>, <script> | No | Not applicable |
typemustmatch vs type vs accept| Attribute | Element | Role |
|---|---|---|
type | <object> | Declares expected MIME type of data |
typemustmatch | <object> | Forces actual MIME to match declared type |
accept | <input type="file"> | Filters file picker extensions/MIME types |
type | <input> | Defines input control kind (text, email, etc.) |
Embed a PDF with strict matching, enable typemustmatch from JavaScript, and see fallback content when types disagree.
Markup for an <object> with PDF type and strict matching (fallback text shown if embed is blocked):
A simple PDF embed with typemustmatch and accessible fallback:
<object data="example.pdf" type="application/pdf" typemustmatch>
<p>Your browser does not support PDFs.
<a href="example.pdf">Download the PDF</a>.
</p>
</object>The browser fetches example.pdf and checks its Content-Type. With typemustmatch, the embed succeeds only when the response is application/pdf. Otherwise the inner paragraph and download link are shown.
Enable strict matching programmatically when conditions are met:
<object id="dynamicObject" data="example.pdf" type="application/pdf">
<p>Fallback content</p>
</object>
<script>
document.getElementById("dynamicObject").typeMustMatch = true;
</script>The object starts without strict checking. Setting typeMustMatch = true (or setAttribute("typemustmatch", "")) turns on the same behavior as the HTML boolean attribute.
When declared type and actual MIME disagree, fallback content appears:
<object data="report.pdf" type="video/mp4" typemustmatch>
<p>Resource type did not match. <a href="report.pdf">Download anyway</a>.</p>
</object>A PDF file cannot satisfy type="video/mp4". With typemustmatch, the browser blocks the embed and renders the fallback paragraph instead of treating the file as video.
<iframe> or native viewers — For critical documents, a dedicated viewer page may be more accessible than <object>.URL and MIME hint.
Strict mode on.
Match or block.
Or fallback.
The typemustmatch attribute is supported in modern browsers for <object> elements. Behavior depends on how each browser handles object embedding and MIME sniffing; always test with real resources and provide fallback content.
Test across browsers when embedding user-controlled URLs. Combine with CSP for stronger protection.
<object> GoodBottom line: Safe to use with fallback content; verify behavior when embedding third-party or user-supplied files.
typemustmatch when embedding external or user-chosen URLstype MIME values<object>accept on file inputs<object> empty when embed failstypemustmatch to enhance security by ensuring only the intended resource type is loaded.The typemustmatch attribute is a useful feature for ensuring that embedded resources match their specified MIME types on <object> elements. By enforcing this check, you can enhance the security and reliability of your web pages.
Understanding how to use this attribute, both statically in HTML and dynamically with JavaScript, helps you control embedded content and give users clear fallback options when a resource cannot be displayed.
typemustmatchBookmark these before your next typemustmatch implementation.
typemustmatch applies to <object>, not file inputs or other elements.
It is a boolean attribute that requires the resource MIME type to match type.
Always include fallback content inside <object> for blocked or unsupported embeds.
In JavaScript, use objectElement.typeMustMatch = true to enable strict matching.
accept attribute on <input type="file">. typemustmatch is only for <object> elements.type="application/pdf" together with your PDF URL in the data attribute.typemustmatch, the browser should refuse to embed the resource and show your fallback content. Without it, behavior may vary.objectElement.typeMustMatch = false or call removeAttribute("typemustmatch").Try the PDF embed example, then enable typemustmatch with JavaScript.
5 people found this page helpful