It's supposed to not use credentials in the iframe request evne when the policy allows to use credentials storage because BlockThirdParty storage blocking policy is used. Non-mac ports don't really support that, because I think they use the cache partitioning for this. We don't expose storage blocking policy in the API either, so it's not a big deal.
Adding new and failing http/tests/security/credentials-iframes-allowCrossOriginSubresourcesToAskForCredentials.html, which is basically the same with allowCrossOriginSubresourcesToAskForCredentials=true and was copied from the credentials-iframes.html test.