diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
--- a/Lib/test/test_urllib2.py
+++ b/Lib/test/test_urllib2.py
@@ -107,9 +107,25 @@
     >>> r.get_header("Not-there", "default")
     'default'
 
+    In issue 17322 it was reported that the following document:
+
+        http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-22#section-3.2.4
+
+    indicates that spaces between the header name and the colon have caused
+    security issues in the past, and recommends not allowing them, and
+    removing them if encountered.  So we do that, both for add_header and for
+    add_unredirected_header.  Since we are removing trailing spaces, it seems
+    to make sense to remove leading spaces as well.
+
+    >>> r.add_header(' foo ', 'bar')
+    >>> r.get_header('Foo')
+    'bar'
+    >>> r.add_unredirected_header('  foo2  ', 'bar2')
+    >>> r.unredirected_hdrs['Foo2']
+    'bar2'
+
     """
 
-
 def test_password_manager(self):
     """
     >>> mgr = urllib.request.HTTPPasswordMgr()
diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py
--- a/Lib/urllib/request.py
+++ b/Lib/urllib/request.py
@@ -255,11 +255,11 @@
 
     def add_header(self, key, val):
         # useful for something like authentication
-        self.headers[key.capitalize()] = val
+        self.headers[key.strip().capitalize()] = val
 
     def add_unredirected_header(self, key, val):
         # will not be added to a redirected request
-        self.unredirected_hdrs[key.capitalize()] = val
+        self.unredirected_hdrs[key.strip().capitalize()] = val
 
     def has_header(self, header_name):
         return (header_name in self.headers or