In the case of an attack, you don’t care about how much effort the web browser would have to make, only the web server.

In fact, instead of serving a malicious client a 200 empty file, you might want to serve up <script>while(1){}</script> .