(It sounds like this attack depends on a complete version of the website being available over port 80)
No, it doesn't. An attacker can always connect to the website over HTTPS and proxy the content to the victim over port 80.
(It sounds like this attack depends on a complete version of the website being available over port 80)