I'm looking at the defaults of Helmet.js and encountered with X-Download-Options
Currently, I've found these:
noopen
to this header, any downloaded HTML file's js will run in the current site's contextX-Download-Options
says it removes the open button and alters it with a save buttonIs below a possible attack that must be prevented with X-Download-Options
Site foo.com allow one user to store file and another user to download the file
localStorage
etc via jsOne year later, I stumbled on same question but found an answer.
https://www.invicti.com/white-papers/whitepaper-http-security-headers/#XDownloadOptionsHTTPHeader
TLDR: Downloaded html file will be executed in site's context, so attacker can access cookie etc.