Ingenious
This is fairly ingenious. In my opinion Chirgwin makes a bit of a meal out of it, but the salient points are:
1. An HTTP CONNECT request to a proxy will usually (but not necessarily) be transmitted in the clear and may therefore be intercepted.
2. Mr Decime took advantage of the previous point by sending a response to the browser which does not conform to the protocol: RFC 7235 states that a 407 MUST be accompanied by a "Proxy-Authenticate" header. It looks like WebKit does not check for this and treats a 407, which in principle should only be generated by a proxy and not by the end server, as any other 4xx response, and therefore evaluates the response body within the security context of the end server.
Note: Seriously sleep deprived. I might have got something wrong myself above.