The extensions loads JavaScript from api.html5media.info/1.1.5/html5media.min.js - over an unsecured HTTP-connection. This is not mentioned on the extension page though it has severe security implications. Extensions should be self-contained; for a secure setup, no third party content must be loaded.
Topic on Extension talk:Html5mediator
I followed the instructions here:
https://github.com/etianen/html5media/wiki/hosting-html5media
I copied the files to a "js" directory under the Html5mediator directory, and then added these lines after $wgHooks in the php file:
$wgResourceModules ['ext.Html5mediator.js'] = array (
'localBasePath' => __DIR__ . '/js',
'remoteExtPath' => 'Html5mediator/js',
'scripts' => 'html5media.min.js'
);