I am not sure, but I think browsers will block access to third party cookies from javascript. In your example, c.com/script.js will not be able to access b.com cookies. Now, when the browser sends the request to b.com/image.png, browsers will NOT send the cookies associated with b.com when visiting other domains than b.com. BUT, the request might contains a “referer” info set by the browser, hence b.com can still track you. This is something that some browsers block already, but as a web developer, I always see referers in the logs, so it’s either not working, or it is opt-in in the options, and normies don’t change it…