The extensions loads JavaScript from api.html5media.info/1.1.5/html5media.min.js - over an unsecured HTTP-connection. This is not mentioned on the extension page though it has severe security implications. Extensions should be self-contained; for a secure setup, no third party content must be loaded.
Topic on Extension talk:Html5mediator/Flow
Appearance
I followed the instructions here:
https://github.com/etianen/html5media/wiki/hosting-html5media
I copied the files to a "js" directory under the Html5mediator directory, and then added these lines after $wgHooks in the php file:
$wgResourceModules ['ext.Html5mediator.js'] = array ( 'localBasePath' => __DIR__ . '/js', 'remoteExtPath' => 'Html5mediator/js', 'scripts' => 'html5media.min.js' );