If you are on a sub-domain, AJAX requests will fail (for example when looking at the Alerts drop-down) because XF sets the <base> to be the "primary" sub-domain based on HTTP headers.
XF seems to always do AJAX requests via a relative URL (which adheres to the <base> tag. The problem is how browsers treat an AJAX request to a different sub-domain the same as a completely different primary domain... so the browser makes an HTTP request to the server with the OPTIONS method to check if it's allowed to make the *actual* request.
I went down the road of setting the server up to answer the OPTIONS/origins requests properly, but the problem is even when you use the "Access-Control-Allow-Credentials" header, not all browsers support it, so cookies don't get sent with the cross-domain AJAX request (no cookies means no logged in user for that request).
Thankfully, XF routes all AJAX requests through a single method so I was able to just prepend the *actual* hostname to the AJAX URL to make it work with a single file edit.
But... considering AJAX will always fail unless it's sent to the current sub-domain the request originated from, wouldn't it make sense to just prepend window.location protocol, and host to the AJAX URL before it's processed? The relative AJAX URLs being routed to the sub-domain specified in <base> won't fail.