What does `X-Download-Options: noopen` do?

Question

I'm looking at the defaults of Helmet.js and encountered with X-Download-Options Currently, I've found these:

• It's only for IE8
• In IE8 if you don't give noopen to this header, any downloaded HTML file's js will run in the current site's context
• Another question about X-Download-Options says it removes the open button and alters it with a save button

Is below a possible attack that must be prevented with X-Download-Options

Site foo.com allow one user to store file and another user to download the file

• Bad guy: Stores an HTML file which sends him user's cookies localStorage etc via js
• User: Downloads this file, it immediately opens and runs the js, everything is gone

Answer 1

One year later, I stumbled on same question but found an answer.

https://www.invicti.com/white-papers/whitepaper-http-security-headers/#XDownloadOptionsHTTPHeader

TLDR: Downloaded html file will be executed in site's context, so attacker can access cookie etc.