Shouldn't a sensible CORS policy by the webserver block these access attempts?

Of course the website owner wants the tracking, but I think they should also be a guilty party here next to Facebook, even if they just bought the service.