User submitted values should be escaped:
like this:
xhr.send(name='+ encodeURIComponent(name) +'&comment='+ encodeURIComponent(comment) );
And you could be more strict about checking if $_POST variables are set to avoid notice errors:
if (isset($_POST['name']) && isset($_POST['comment'])) {
if you want to be very precise you could also use is_string() on them because it is possible to receive arrays!
Other than that I’d say the code is technically secure.