Launcher logs requests and reponses to https://xsts.auth.xboxlive.com/xsts/authorize

The bug

The launcher seems to log the content of requests and responses to https://xsts.auth.xboxlive.com/xsts/authorize. This seems to include sensitive tokens.

See attachment https://bugs.mojang.com/secure/attachment/498579/launcher_log.txt from MC-253836, and search there for "https://xsts.auth.xboxlive.com/xsts/authorize".

Unsure how to reproduce this; "Affected Version" of this report might not be correct.

(Would in general be good to check the data the launcher is logging, there seem to be other suspicious strings such as "RefreshXtoken".)