[mceachen]

It depends on the site. For example, a Twitter timeline or Google search engine result page only needs the https request for the auction to take place, as the ads are mixed into the first-party response.

Third-party ads inserted via javascript behave as you describe.

Blocking third-party cookies (by using ublock origin or a pi-hole or firefox) helps prevent more actors from observing your online activity, but simply by being in the ad auction, third parties can get a lot of indirect information (via real-time bidding, or RTB).