Porting this from @domfarolino's investigative work on whatwg/html#3656 (comment). Some work landed in #11274 and #13176, but for thorough coverage, we should also test:

• Default <link rel=modulepreload> credentials mode, and the affect of crossorigin="" on it
• Default credentials mode for module worker descendant imports (static and dynamic), and the affect of the credentials Worker constructor option on it
• Default credentials mode for classic worker descendant dynamic imports (cannot be changed)
• Default credentials mode for javascript: URL dynamic imports (cannot be changed)
• Ensure that cross-origin module workers are not supported (despite existing for a brief period in the spec)

And as a bonus, not really related to modules:

• Default credentials mode for classic worker importScripts(). Per the spec I guess this is "omit"? I might be reading it wrong though.